BeyondTrust Fixes CVSS 9.2 PAM Bypass in Tools State Hackers Have Targeted for 18 Months
BeyondTrust Fixes CVSS 9.2 PAM Bypass in Tools State Hackers Have Targeted for 18 Months, highlighting how a privileged access gateway can turn a remote flaw into full enterprise takeover. On Tuesday, BeyondTrust disclosed four vulnerabilities affecting Remote Support (RS) and Privileged Remote Access (PRA) appliances and software, including two critical pre-authentication bypass issues rated 9.2 on CVSS v4. The company warned that self-hosted customers on version 25.3.2 or earlier that are not enrolled in automatic updates remain exposed, while cloud-hosted customers were patched silently on April 21, 2026. The advisory BT26-03 describes CVE-2026-40138 and CVE-2026-40139 as authentication-subsystem and request-path validation failures that can be exploited without credentials, potentially enabling unauthorized administrative access across managed systems.







