BeyondTrust has patched two critical pre-authentication vulnerabilities, CVE-2026-40138 and CVE-2026-40139, both rated CVSS 9.2, in its Remote Support and Privileged Remote Access products. Because these flaws require no valid credentials and sit in tools that broker privileged access into corporate networks, they are exactly the class of bug attackers race to weaponize. Organizations running affected appliances should patch now and hunt for signs of prior exploitation.

  • The flaws: two pre-auth vulnerabilities (CVE-2026-40138, CVE-2026-40139), each CVSS 9.2, in BeyondTrust Remote Support and Privileged Remote Access.
  • Why it is severe: pre-auth means no login required, and these products by design hold the keys to privileged sessions across an environment.
  • The context: remote-access and privileged-access appliances have been repeatedly targeted, so a 9.2 pre-auth bug here is a prime ransomware and espionage entry point.
  • The action: apply BeyondTrust's fixes immediately and review logs for anomalous pre-auth activity during the exposure window.
Why a pre-auth flaw in a privileged-access tool is so dangerousAn unauthenticated attacker reaches an internet-facing BeyondTrust appliance, exploits a pre-auth flaw, and gains a foothold into the privileged sessions the tool brokers across the internal network.UnauthRemote Support /InternalattackerPrivileged Access applianceCVSS 9.2 pre-authprivileged sessionsNo credentials needed at the door, and the door opens onto the keys to the networkPRE-AUTH + PRIVILEGED-ACCESS = TOP-TIER TARGETgenztech.blog
Fig 1 The danger is compounding: a pre-auth flaw removes the credential barrier, and the compromised product is precisely the one that holds privileged access to the rest of the network, turning one exploit into broad reach.

What are CVE-2026-40138 and CVE-2026-40139?

Both are critical, pre-authentication vulnerabilities in BeyondTrust's Remote Support and Privileged Remote Access products, each carrying a CVSS score of 9.2. Pre-authentication is the key phrase: an attacker does not need a valid account, a stolen password, or any prior access to attempt exploitation. They only need network reach to the vulnerable appliance. BeyondTrust has released fixes, and the responsible move for any organization running these products is to treat patching as an emergency rather than routine maintenance. The vendor's advisory is the authoritative source for affected versions and the exact remediation steps.

RelatedMicrosoft Patches 570 Flaws, Two Zero-Days Exploited

Why do these products make such attractive targets?

BeyondTrust Remote Support and Privileged Remote Access exist to broker exactly the access attackers want. They let support staff and administrators connect into systems with elevated privileges, often reaching across an entire environment. That makes them a chokepoint: compromise the appliance and you inherit a path to the privileged sessions it manages. This category of product, remote-access gateways and privileged-access managers, has a long track record of being targeted precisely because a single flaw yields outsized reach. A pre-auth vulnerability in this tier is a near-perfect initial-access vector for ransomware crews and state-aligned intruders alike, which is why a 9.2 here should command more urgency than a higher raw score in a less sensitive product.

Is there evidence of active exploitation?

The prudent assumption is that exploitation is imminent even where it is not yet confirmed. Critical pre-auth bugs in access appliances have a short shelf life before proof-of-concept code and scanning activity appear, and attackers actively monitor these vendors' advisories for exactly this reason. Defenders should not wait for a public exploit or a KEV listing to act. Patch now, and in parallel, review appliance and authentication logs for anomalous connections during the window before the fix was applied, because if you were exposed and targeted, the evidence will be in those logs, not in a future headline.

What should defenders do right now?

Three moves, in order. First, apply BeyondTrust's patches to all affected Remote Support and Privileged Remote Access instances immediately, prioritizing any that are internet-facing. Second, reduce exposure: these management appliances rarely need to be reachable from the open internet, so restrict access to trusted networks or a VPN wherever possible. Third, hunt: review logs for unexpected pre-authentication activity, new or unfamiliar sessions, and configuration changes during the exposure period, and rotate credentials and secrets that the appliance could have exposed if you find anything suspicious. Assume-breach hunting is cheap insurance against a bug this severe.

RelatedProgress Confirms ShareFile Zero-Day Behind Server Shutdown

What to watch · next weeks
  • KEV listing. If CISA adds either CVE to its Known Exploited Vulnerabilities catalog, in-the-wild attacks are confirmed and the clock is officially running.
  • Public exploit code. Proof-of-concept releases will trigger mass scanning; internet-facing appliances are the first to fall.
  • Ransomware activity. Access-broker groups favor exactly this kind of pre-auth appliance bug; watch threat-intel feeds.
  • Your own logs. The most important signal is internal: evidence of exploitation before you patched.

Our take

Not all CVSS 9.2s are equal, and this pair sits at the dangerous end of the spectrum. Pre-authentication removes the one barrier that usually buys defenders time, and the affected products are the very tools that hold privileged access to everything else. That combination is why access-broker and ransomware groups treat remote-support and privileged-access appliances as premium targets, and why a bug like this deserves an emergency response rather than a scheduled patch cycle. BeyondTrust did the right thing by shipping fixes; the responsibility now shifts to operators. The organizations that patch today and hunt their logs will likely never make the news. The ones that wait for a public exploit may not have that choice.

Primary sources

Original analysis by GenZTech. Based on BeyondTrust advisories and vulnerability disclosures as of July 2026.