Back to overview

CVE-2026-40139

CRITICAL
9.2
CVSS 4.0
Description
A critical pre-authentication vulnerability exists in the authentication subsystem of BeyondTrust Remote Support. Improper processing of authentication requests may allow an unauthenticated remote attacker to bypass access controls and gain unauthorized access to the appliance, including accounts with elevated privileges. Exploitation requires a specific authentication configuration to be enabled.

Metadata

CVE ID
CVE-2026-40139
State
PUBLISHED
Assigner
BT
Reserved
2026-04-09 18:36 UTC
Published
2026-07-06 16:13 UTC
Last updated
2026-07-06 18:55 UTC
Primary CWE
CWE-287
CWE-287 Improper Authentication
Vendor / Product
BeyondTrust / Remote Support
Sources
cve.org  ·  NVD

Severity & Metrics

9.2 CRITICAL CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (2)
VendorProductPlatformVersions
BeyondTrust Privileged Remote Access 0 < 26.2.1, 0 < 25.3.3
BeyondTrust Remote Support 0 < 26.2.1, 0 < 25.3.3
Weakness (CWE)
CWESourceDescription
CWE-287 cna CWE-287 Improper Authentication
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.2 CRITICAL 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Back to overview