ctipilot.ch
← Back to the live brief
HIGHCVE-2026-40138 +3vulnerability

CVE-2026-40138/-40139/-40140/-40141 — BeyondTrust Remote Support / Privileged Remote Access: critical pre-auth bypass, flagged by NCSC-CH

discovered 2026-07-08 20:35 UTCrun 2026-07-08T2009Z-intel3 sourcesmulti-source

NCSC-CH's Cyber Security Hub (GovCERT.ch, TLP:CLEAR) flagged BeyondTrust's 7 July 2026 advisory BT26-03 covering four vulnerabilities in Remote Support (RS) and Privileged Remote Access (PRA) appliances — the vendor's remote-support/PAM software used by IT service desks including government administrations (NCSC-CH, 2026-07-07). CVE-2026-40138 and CVE-2026-40139 (both CVSS 4.0 9.2, CRITICAL) sit in the shared authentication subsystem: CVE-2026-40138 stems from improper validation of authentication data and CVE-2026-40139 from improper processing of authentication requests, both letting a network-positioned unauthenticated attacker bypass access controls and obtain administrative access — but only where a specific, non-default authentication configuration (unspecified by the vendor) is enabled. CVE-2026-40140 is an unauthenticated DoS in the network-communication subsystem, and CVE-2026-40141 lets a low-privilege authenticated user reach resources beyond their authorization scope. Affected versions are RS/PRA 25.3.2 and earlier, fixed in 25.3.3; BeyondTrust cloud-hosted customers were already patched on 21 April 2026, so self-hosted customers not on auto-update must apply the April security rollup (BleepingComputer, 2026-07-07). Neither BeyondTrust nor NCSC-CH reports confirmed in-the-wild exploitation or a public PoC as of this run. Defender takeaway: this is a home-authority advisory on a high-value target class — remote-support/PAM appliances broker privileged sessions into the estate, and BeyondTrust RS/PRA flaws have come under repeated exploitation in the past to deploy web shells and backdoors (The Hacker News, 2026-07-07); prioritise patching and, given the pre-auth admin-access impact, audit appliance authentication logs for administrative sessions created without a corresponding interactive login.

Successful exploitation allows unauthenticated attackers to bypass access controls and gain administrative access.

Exploitation of the critical authentication bypasses requires specific, non-default authentication configurations, which have not been made public, to be enabled on the target appliance.

NCSC Switzerland (GovCERT.ch) — Cyber Security Hub 2026-07-07

Defender actions

  • Patch BeyondTrust Remote Support / Privileged Remote Access to ≥ 25.3.3 now (self-hosted); cloud instances were fixed 2026-04-21.
  • Until patched, determine whether the non-default authentication configuration required for CVE-2026-40138/-40139 (likely a SAML/OIDC integration) is enabled and disable it if not operationally required; restrict appliance management-plane access to a trusted admin segment.
PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.