Emergency Security Bulletin: BeyondTrust Remote Support and Privileged Remote Access

https://www.redlegg.com/hubfs/Theme-2024/overlay-red.png featured image

By: RedLegg's Cyber Threat Intelligence Team

About:

CVE-2026-45659 is a remote code execution vulnerability affecting Microsoft Office SharePoint Server.

Successful exploitation could allow an attacker to execute malicious code in the context of the SharePoint server, potentially leading to unauthorized access to sensitive information, modification of SharePoint content, deployment of malicious components, disruption of collaboration services, and further compromise of the underlying server.

Microsoft addressed the vulnerability in the May 2026 SharePoint security updates. On July 1, 2026, CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities (KEV) Catalog, indicating observed exploitation risk and the need for immediate verification of patch status across exposed SharePoint environments.

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.


VULNERABILITIES

Multiple vulnerabilities affecting BeyondTrust Remote Support and Privileged Remote Access

Identifier: CVE-2026-40138
PoC or Exploitation:
As of this writing, there where no confirmed reports of active exploitation in the wild and no validated public proof-of-concept exploit code.
CVSS Score: 9.2 (Critical, CVSS v4.0)

Update / Patch:
BeyondTrust has released security updates addressing CVE-2026-40138.

Affected products include:
  • BeyondTrust Remote Support
  • BeyondTrust Privileged Remote Access
  • Affected versions include:
  • BeyondTrust Remote Support versions earlier than 25.3.3 in the applicable 25.x release branch
  • BeyondTrust Privileged Remote Access versions earlier than 25.3.3 in the applicable 25.x release branch

Fixed versions include:

  • 25.3.3 or later for the applicable 25.x release branch

BeyondTrust advisory and patch guidance:
BeyondTrust Security Advisory BT26-03
https://www.beyondtrust.com/trust-center/security-advisories/bt26-03

Description:
CVE-2026-40138 is a critical pre-authentication vulnerability in the authentication subsystem of BeyondTrust Remote Support and Privileged Remote Access.

The vulnerability compromises the authentication boundary of the appliance. An attacker who successfully bypasses the affected authentication process may gain access under an elevated account and inherit the permissions and administrative capabilities associated with that account.

This could allow unauthorized access to privileged remote access workflows, remote support sessions, appliance management capabilities, and other functions available to the compromised account.

Mitigation Recommendation:
Immediately upgrade affected BeyondTrust Remote Support and Privileged Remote Access deployments to the appropriate fixed release.

Identify systems using the authentication configuration required for exploitation and prioritize those appliances for immediate remediation.

Prioritize internet-facing or externally reachable BeyondTrust Remote Support and Privileged Remote Access appliances.

Restrict appliance management and authentication interfaces to trusted networks where operationally feasible.

Enforce multi-factor authentication and strong identity controls for privileged accounts where supported.


BeyondTrust Remote Support
Pre-Authentication Access Control Bypass Vulnerability

Identifier: CVE-2026-40139
PoC or Exploitation:
There are no confirmed reports of active exploitation of CVE-2026-40139 in the wild and no validated functional public proof-of-concept exploit code has been identified.
CVSS Score: 9.2 (Critical, CVSS v4.0)

Update / Patch:
BeyondTrust has released security updates addressing CVE-2026-40139.

Affected product includes:

  • BeyondTrust Remote Support

Affected versions include:

  • BeyondTrust Remote Support 25.3.2 and earlier

Fixed versions and remediation include:

  • BeyondTrust Remote Support 25.3.3 and later
  • Security Rollup April 2026 25 RS for applicable Remote Support 25 releases
  • Security Rollup April 2026 24 RS for applicable Remote Support 24 releases

BeyondTrust states that patches were applied to all Remote Support and Privileged Remote Access cloud customers as of April 21, 2026. Self-hosted customers that are not subscribed to automatic updates should apply the applicable April 2026 Security Rollup or upgrade to Remote Support 25.3.3 or later.

BeyondTrust advisory and patch guidance:
BeyondTrust Security Advisory BT26-03
https://www.beyondtrust.com/trust-center/security-advisories/bt26-03

Description:
CVE-2026-40139 is a critical pre-authentication vulnerability in the authentication subsystem of BeyondTrust Remote Support.

An unauthenticated remote attacker may send crafted authentication requests to a vulnerable Remote Support appliance. Improper processing of these requests can cause the appliance to fail to correctly enforce access controls, allowing the attacker to bypass the expected authentication boundary and obtain unauthorized access to the appliance.

Successful exploitation may provide access to accounts on the Remote Support appliance, including accounts with elevated privileges. The attacker may then operate with the permissions and capabilities associated with the account obtained through the authentication bypass.

Mitigation Recommendation:

Review BeyondTrust Security Advisory BT26-03 and apply the applicable security rollup or fixed release.

Prioritize internet-facing and externally accessible BeyondTrust Remote Support appliances.

Restrict appliance management and authentication interfaces to trusted networks where operationally feasible.

Enforce multi-factor authentication and strong identity controls for privileged Remote Support accounts where supported.