External risk intelligence

BeyondTrust Remote Support Authentication Bypass Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-40139

BeyondTrust Remote Support is an appliance designed to provide remote access and support, which is typically deployed as a public-facing gateway to facilitate connections from external users and technicians. Its function as an internet-facing remote access service makes it highly likely to be reachable from the internet in common deployments.

Authentication Bypass

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability in BeyondTrust Remote Support's authentication system could allow unauthenticated attackers to bypass access controls and gain unauthorized access to appliances, potentially including privileged accounts, if a specific authentication configuration is enabled.

  • Unauthenticated attackers may bypass access controls.
  • Matters if the specific authentication configuration is enabled.
  • Confirm relevance and exposure in your environment.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker could potentially bypass access controls by sending specially crafted authentication requests to the BeyondTrust Remote Support appliance. This could grant them unauthorized access, including elevated privileges, if a specific authentication configuration is enabled.

  • Requires specific authentication configuration.
  • Unauthenticated remote attacker bypasses access controls.
  • Unauthorized access to appliance, including privileged accounts.

Live Threat

Current exploitation, exposure, and threat context

A pre-authentication vulnerability in BeyondTrust Remote Support's authentication subsystem could allow an unauthenticated remote attacker to bypass access controls and gain unauthorized access to the appliance, including accounts with elevated privileges, when a specific authentication configuration is enabled.

  • Appliance access and elevated privileges.
  • Bypass access controls.
  • Unauthorized access to the appliance.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in BeyondTrust Remote Support's authentication subsystem requires careful triage by platform and security teams. The first practical step is to identify all instances of the affected appliance, confirm if the specific authentication configuration is enabled, and assess business criticality and external reachability to determine ownership and plan remediation.

  • Platform and security teams own triage.
  • Verify authentication configuration and reachability.
  • Coordinate vendor engagement and remediation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is BeyondTrust Remote Support?

BeyondTrust Remote Support is a software platform used by IT teams to securely access and manage remote computers, servers, and devices. It acts as a central gateway, allowing technicians to provide technical assistance or perform maintenance across distributed networks, regardless of the target's physical location.

What does CWE-287 mean for CVE-2026-40139?

CWE-287 refers to Improper Authentication. In the context of CVE-2026-40139, this means the software fails to correctly verify the identity of a user before granting them access. An attacker can exploit this weakness to bypass standard login procedures and gain unauthorized entry into the appliance, effectively tricking the system into believing they are an authenticated, potentially privileged, user.

How does an attacker trigger this bypass?

The vulnerability is triggered by sending specially crafted authentication requests to the target system. Crucially, the bug does not trigger unless a specific, non-default authentication configuration is active. If this specific configuration is not enabled on your appliance, the vulnerability remains inactive and cannot be exploited via this path.

Is my BeyondTrust installation at risk?

Halo Surface Signal indicates that BeyondTrust Remote Support is commonly deployed as an internet-facing gateway to enable external access. Because of this, it is highly likely to be reachable from the internet. You should care if your appliance is accessible to the public web and has the specific authentication configuration enabled, as these factors increase the potential for remote exploitation.

What are the first steps to address this?

Begin by creating an inventory of all BeyondTrust Remote Support appliances in your environment. For each instance, check if the specific vulnerable authentication configuration is enabled. Prioritize instances that are reachable from the internet, determine who manages those systems, and follow the vendor's guidance to secure your deployment.

References