BeyondTrust has disclosed four vulnerabilities in its Remote Support (RS) and Privileged Remote Access (PRA) products, two of which carry a near-maximum CVSS v4 score of 9.2. What makes advisory BT26-03 notable isn’t just the severity; it’s the discovery method
the flaws were surfaced internally using AI-driven vulnerability research powered by publicly available models, including Opus 4.8, alongside proprietary tooling.
BeyondTrust has explicitly stated this effort was conducted independently of Project Glasswing, distancing it from other recent industry research initiatives.
The advisory, issued June 21, 2026, details four CVEs spanning authentication bypass, denial-of-service, and unauthorized data access.
- CVE-2026-40138 (Critical, 9.2): An authentication subsystem flaw (CWE-287) letting a network-positioned attacker bypass access controls, including on privileged accounts, though it requires high attack complexity and a specific auth configuration enabled.
- CVE-2026-40139 (Critical, 9.2): A more dangerous sibling flaw, also known as CWE-287, with low attack complexity and no privileges or user interaction required; an unauthenticated attacker can bypass authentication entirely under certain configurations.
- CVE-2026-40140 (High, 8.7): An uncontrolled resource consumption bug (CWE-400) in the network communication layer, allowing unauthenticated attackers to crash the appliance and disrupt availability.
- CVE-2026-40141 (High, 8.5): An improper input neutralization issue (CWE-943) in a web component that allows low-privileged authenticated users to access data or resources outside their authorization scope.
Two of these are pre-authentication bugs reachable over the network without credentials, which is precisely the profile threat actors hunt for when scanning exposed remote-access infrastructure.
Both critical CVEs note that exploitation “requires a specific authentication configuration to be enabled.” That’s not a minor footnote.
It means the real-world blast radius depends heavily on how organizations have deployed RS/PRA, likely tied to specific SSO, SAML, or alternate authentication integrations rather than default installs. Security teams shouldn’t read “requires specific config” as “low risk.”
Given how common federated authentication setups are in enterprise remote-access deployments, the affected population could still be substantial.
BeyondTrust says cloud customers have already been patched automatically, with the fix applied as of April 21, 2026, well before this public disclosure. That timing gap between silent patching and public advisory is increasingly standard practice for vendors managing hosted infrastructure.
Self-hosted customers face more responsibility:
- Instances not on automatic updates require the April 2026 security rollup to be applied.
- Alternatively, upgrade directly to RS 25.3.3 or PRA 25.3.3 (or later).
- Anything running RS or PRA 25.3.2 or earlier is confirmed vulnerable.
This disclosure comes amid growing industry debate over AI-assisted vulnerability research, a practice that has moved from experimental to operational faster than many expected.
BeyondTrust’s willingness to name the model (Opus 4.8) used in discovery signals a shift toward transparency in how vendors find bugs before attackers do.
Given BeyondTrust’s history as a target for remote-access-focused threat actors, self-hosted customers should treat the 25.3.3 upgrade as urgent, not routine patch-cycle maintenance.