BeyondTrust has released emergency updates addressing multiple critical vulnerabilities in its Remote Support (RS) and Privileged Remote Access (PRA) products, including flaws that could allow unauthenticated attackers to bypass access controls and take control of affected appliances. The vulnerabilities, discovered through internal security assessments using AI-assisted tooling, affect configurations widely deployed in healthcare environments for remote IT support and privileged access management.
Vulnerability details
Three critical CVEs were disclosed: CVE-2026-40138 and CVE-2026-40139 are unauthenticated auth bypass flaws in specific configuration scenarios. CVE-2026-40141 allows authenticated users to escalate privileges and impact system integrity under specific configurations. Additional medium-severity flaws (CVE-2026-40140, CVE-2026-1731) could enable service disruption and unintended data access.
The most severe vulnerabilities may allow an unauthenticated remote attacker to bypass access controls and gain unauthorized access to the appliance. This is particularly dangerous in healthcare settings where BeyondTrust Remote Support is used for IT help desk access to clinical workstations, EHR systems, and medical devices.
Healthcare impact
Hospitals and health systems are among the largest users of BeyondTrust remote access products for managing clinical IT environments. A compromised BeyondTrust appliance could give an attacker direct access to systems handling PHI, including EHR databases, imaging systems, and connected medical devices. Many healthcare organizations rely on BeyondTrust for third-party vendor remote access to medical equipment, amplifying the supply chain risk.
BeyondTrust has released patched versions. Healthcare organizations using RS or PRA should prioritize this update given the unauthenticated remote exploitation vector and the sensitivity of systems accessed through these gateways.
