External risk intelligence

BeyondTrust Remote Support Authentication Bypass Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-40138

BeyondTrust Remote Support and Privileged Remote Access appliances are designed to be internet-facing gateways to provide secure remote access. As network edge appliances intended for remote connectivity, these products are commonly exposed directly to the public internet by design.

Authentication Bypass

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in the authentication system of BeyondTrust Remote Support and Privileged Remote Access products. This issue could allow an attacker on the network to bypass security controls and gain unauthorized access to the appliance, potentially accessing privileged accounts. Exploitation is dependent on a specific authentication configuration being enabled.

  • Unauthorized access to appliances is possible.
  • Confirms the need for proper configuration management.
  • Verify relevance and exposure to protected systems.

Attack Path

How an attacker could exploit the issue

An attacker on the network could exploit this vulnerability by targeting the authentication system without needing any prior credentials. If a specific authentication configuration is active, the attacker can bypass access controls, gaining unauthorized access to the appliance and potentially privileged accounts. This could lead to significant compromise of the system.

  • Network access required.
  • Improper authentication data validation.
  • Unauthorized access to appliance.

Live Threat

Current exploitation, exposure, and threat context

A network-positioned attacker, when specific authentication configurations are enabled, could bypass access controls and gain unauthorized access to the appliance, potentially accessing accounts with elevated privileges.

  • Appliance access and elevated accounts.
  • Bypass access controls via improper validation.
  • Unauthorized access to sensitive system data.

Operational Fix

Recommended remediation, mitigation, and detection steps

Given the nature of BeyondTrust Remote Support and Privileged Remote Access as network edge appliances, platform or infrastructure teams are likely responsible for their operation, with security teams overseeing access controls and vendor-management teams coordinating with BeyondTrust. The immediate priority is to identify all deployed instances, determine their exposure and business criticality, and confirm the accountable owner before planning remediation.

  • Platform/Infrastructure and Security teams.
  • Confirm instance reachability and criticality.
  • Plan remediation based on assessed risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is BeyondTrust Remote Support and Privileged Remote Access?

These software products are specialized appliances used by organizations to manage secure remote connections. They act as gateways that allow IT teams, vendors, or administrators to access remote systems, servers, and desktops securely, often replacing less secure methods like traditional VPNs. They serve as central hubs for support sessions and privileged access management within an enterprise environment.

What does CWE-287 mean for CVE-2026-40138?

CWE-287 refers to Improper Authentication. In the context of this CVE, it means the system fails to correctly verify the identity of a user or the data provided during the login process. Because of this flaw, an attacker could potentially trick the appliance into accepting their connection as valid, effectively bypassing the security gates that are supposed to keep unauthorized users out.

Do I need specific conditions for CVE-2026-40138 to be triggered?

Yes. This vulnerability is not triggered by default in all environments. It requires a specific authentication configuration to be enabled on the appliance. If your current authentication settings do not utilize this specific configuration, the vulnerability may not be exploitable. You should review your appliance's settings against the vendor's documentation to see if your configuration matches the requirements for this flaw.

Is my organization at risk from CVE-2026-40138?

Halo Surface Signal indicates that these appliances are designed as network edge gateways, making them very likely to be internet-facing. Because they are often exposed directly to the public internet to facilitate remote connectivity, any instance reachable from the outside is at higher risk. Organizations using these appliances should consider them critical assets that require immediate verification of their internet exposure and configuration status.

How should I respond to this vulnerability?

Start by identifying every instance of BeyondTrust Remote Support and Privileged Remote Access deployed in your environment. Confirm which teams are responsible for these assets and check if the specific authentication configuration mentioned in the advisory is currently active. Coordinate with your security and infrastructure teams to review the official vendor guidance and prepare to apply any necessary updates or configuration changes.

References