BeyondTrust BT26-03: Patch Remote Support and PRA Auth Bypass CVEs

BeyondTrust BT26-03 covers critical Remote Support and Privileged Remote Access CVEs. Self-hosted RS/PRA admins should back up, patch, and verify access.
BeyondTrust BT26-03 Remote Support and Privileged Remote Access patch checklist for self-hosted appliances

BeyondTrust BT26-03 needs attention from anyone running self-hosted Remote Support or Privileged Remote Access. BeyondTrust’s advisory covers four CVEs in Remote Support (RS) and Privileged Remote Access (PRA), including two critical authentication issues rated 9.2 under CVSS v4.

The headline risk is unauthorized appliance access under specific configurations. That puts this in the same operational lane as other remote administration and support tooling: confirm exposure, back up, patch, verify access workflows, and review high-privilege account activity.

What BeyondTrust Published

BeyondTrust advisory BT26-03 lists these vulnerabilities for Remote Support and Privileged Remote Access:

  • CVE-2026-40138: critical improper authentication issue affecting Remote Support and Privileged Remote Access.
  • CVE-2026-40139: critical improper authentication issue affecting Remote Support.
  • CVE-2026-40140: high-severity pre-authentication availability issue affecting Remote Support and Privileged Remote Access.
  • CVE-2026-40141: high-severity authenticated access-control issue affecting Remote Support and Privileged Remote Access.

BeyondTrust says RS and PRA cloud customers were patched as of April 21, 2026. Self-hosted customers should apply the relevant April 2026 security rollup for their branch or upgrade to RS 25.3.3 or PRA 25.3.3 and newer, using the vendor advisory and customer portal to confirm the exact package for their deployment.

Who Should Prioritize This

Prioritize this update if you operate a self-hosted BeyondTrust appliance, expose remote support to the internet, use PRA for vendor or administrator access, or rely on the appliance for help desk, MSP, hosting, healthcare, finance, education, municipal, or managed IT workflows.

Hosted WordPress and server operators should also check whether any customer support, vendor maintenance, emergency access, or privileged session workflow depends on BeyondTrust. A secure website stack can still be exposed through a remote administration tool if that tool is stale.

Backup-First Patch Checklist

  • Identify every Remote Support and Privileged Remote Access appliance, including staging, disaster-recovery, and customer-dedicated instances.
  • Record the current RS or PRA version and whether automatic updates are enabled.
  • Take a current appliance backup or vendor-supported configuration backup before changing versions.
  • Apply the applicable April 2026 security rollup or upgrade to RS/PRA 25.3.3 or newer where that path fits the deployment.
  • After patching, verify administrator login, SSO, local break-glass accounts, vendor access, session recording, jump policies, outbound mail, and help desk workflows.
  • Review recent administrator accounts, vendor accounts, sessions, authentication settings, and audit logs for activity that does not match normal support operations.
  • Reduce public exposure where possible. Put the appliance behind approved access controls and remove stale vendor or emergency accounts.

Do Not Treat CDN Or WAF Visibility As A Patch

A CDN, WAF, or reverse proxy may help with logging, rate controls, and access policy, but it does not repair a vulnerable BeyondTrust appliance. Patch the appliance first, then use edge controls to reduce exposure and monitor abnormal access patterns.

FixItPhill Take

This is a practical “patch the admin tool before the admin tool becomes the weak point” item. If RS or PRA is self-hosted and reachable by staff, vendors, or customers, treat BT26-03 as a maintenance-window priority. The clean order is backup, patch, verify support workflows, then review account and session history.

Sources

Picture of admin

admin

Leave a Reply

Sign up for our Newsletter

Get the latest information on what is going on in the I.T. World.