BeyondTrust has released patches addressing two critical security flaws in its Remote Support (RS) and Privileged Remote Access (PRA) products. The vulnerabilities, if exploited, could let unauthenticated attackers seize control of susceptible devices.
The first flaw, tracked as CVE-2026-40138, carries a CVSS score of 9.2 and is a pre-authentication vulnerability. The full impact and scope of exploitation remain unclear, but the severity rating indicates a high risk of compromise without authentication.
Attackers can trigger these flaws remotely without prior access, making them particularly dangerous for organizations relying on BeyondTrust's remote support and privileged access management tools. Specific technical details about the attack vector are limited.
BeyondTrust has urged customers to apply the available patches immediately. No workarounds have been disclosed beyond updating to the fixed versions. The company has not yet released a timeline for additional fixes.
Attribution for the discovery of these flaws has not been provided, nor have reports of active exploitation in the wild emerged. Organizations should prioritize patching as a precaution.