CRITICAL: BeyondTrust Auth Bypass Flaws Hand Attackers the Keys to Remote Support and PRA
BeyondTrust patched four flaws in Remote Support and Privileged Remote Access, including two unauthenticated CVSS 9.2 auth bypass bugs (CVE-2026-40138 and CVE-2026-40139) that let network-positioned attackers reach elevated accounts. All versions at or below 25.3.2 are vulnerable, with fixes in the 25.3.3 line. Cloud customers were patched April 21 2026, so self-hosted admins are the ones who need to move now.