Security Arsenal is tracking a critical security development impacting organizations relying on BeyondTrust for privileged access and remote support. The vendor has released patches for CVE-2026-40138, a pre-authentication vulnerability affecting Remote Support (RS) and Privileged Remote Access (PRA) platforms. With a CVSS score of 9.2, this flaw represents a severe risk to infrastructure integrity.
Introduction
Auth bypass vulnerabilities in privileged access management (PAM) solutions are the nightmare scenario for any security program. If an attacker can gain administrative control of a PAM or remote support appliance without credentials, they effectively own the network. CVE-2026-40138 allows unauthenticated attackers to take complete control of susceptible devices. Given the role BeyondTrust plays in managing high-privilege accounts, this vulnerability demands immediate emergency patching before threat actors weaponize it.
Technical Analysis
- CVE Identifier: CVE-2026-40138
- CVSS Score: 9.2 (Critical)
- Affected Products: BeyondTrust Remote Support (RS), Privileged Remote Access (PRA)
- Vulnerability Type: Pre-authentication Security Flaw (Auth Bypass)
The vulnerability exists within the authentication mechanism of the affected products. It allows attackers to bypass the login validation phase entirely. Unlike injection flaws that require specific payloads or timing attacks, an auth bypass often provides a direct pathway to administrative interfaces or API endpoints.
From a defensive perspective, the attack chain is simple: an attacker sends a specially crafted request to the target interface. If successful, the application grants session privileges equivalent to an authenticated administrator without validating credentials. This leads immediately to device takeover, data exfiltration, and lateral movement to connected endpoints.
Detection & Response
Detecting the exploitation of a pre-auth auth bypass is challenging because there is no failed login event to trigger an alert. We must rely on identifying the outcome of the attack—specifically, administrative activity or process execution that occurs in the absence of a preceding authentication event.
Sigma Rules
---
title: Potential BeyondTrust Admin Access Without Authentication
id: a1b2c3d4-5678-90ab-cdef-123456789abc
status: experimental
description: Detects successful access to administrative endpoints on BeyondTrust PRA/RS without a preceding valid login attempt or token context.
references:
- https://thehackernews.com/2026/07/beyondtrust-patches-critical-auth.html
author: Security Arsenal
date: 2026/07/15
tags:
- attack.initial_access
- attack.t1078
logsource:
category: web
detection:
selection:
cs-uri-stem|contains:
- '/api/v1/'
- '/api/v2/'
- '/admin/'
sc-status: 200
filter_legit:
cs-username|startswith: 'admin' # Assuming legit admin logins have a user context
# Add internal IP ranges here if applicable
condition: selection and not filter_legit
falsepositives:
- Anonymous API access configured for legitimate use
- Monitoring probes
level: high
---
title: BeyondTrust Service Spawning System Shell
id: b2c3d4e5-6789-01ab-cdef-234567890bcd
status: experimental
description: Detects the BeyondTrust service process spawning a shell (cmd.exe, powershell), indicating potential RCE exploitation.
references:
- https://thehackernews.com/2026/07/beyondtrust-patches-critical-auth.html
author: Security Arsenal
date: 2026/07/15
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains:
- 'BeyondTrust'
- 'Bomgar' # Legacy name often still in use
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
condition: selection_parent and selection_child
falsepositives:
- Legitimate administrative debugging by support staff
level: critical
KQL (Microsoft Sentinel / Defender)
This query hunts for unusual process creation events originating from BeyondTrust parent processes.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName has_any ("BeyondTrust", "Bomgar", "RemoteSupport")
| where ProcessFileName in~ ("cmd.exe", "powershell.exe", "bash", "sh")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, InitiatingProcessParentFileName
| order by Timestamp desc
Velociraptor VQL
This artifact hunts for the specific BeyondTrust binaries and checks for recent modifications that might indicate a patch was missed or a binary was tampered with.
-- Hunt for BeyondTrust binaries and check metadata
SELECT FullPath, Size, Mtime, Atime
FROM glob(globs=[
"C:/Program Files/BeyondTrust/**/*.exe",
"C:/Program Files (x86)/BeyondTrust/**/*.exe",
"/opt/beyondtrust/**/*",
"/opt/bomgar/**/*"
])
WHERE Mtime < now() - 30d
ORDER BY Mtime DESC
Remediation Script (PowerShell)
Use this script to identify installed BeyondTrust versions on Windows endpoints to prioritize patching.
# Check for BeyondTrust Remote Support / PRA Services
Write-Host "[+] Checking for BeyondTrust Services..."
$services = Get-WmiObject -Class Win32_Service | Where-Object { $_.Name -like "*BeyondTrust*" -or $_.Name -like "*Bomgar*" -or $_.PathName -like "*RemoteSupport*" }
if ($services) {
foreach ($svc in $services) {
$path = $svc.PathName -replace '".*?"', '' -replace ' .*', ''
if (Test-Path $path) {
$file = Get-Item $path
Write-Host "SERVICE: $($svc.Name)"
Write-Host "PATH: $path"
Write-Host "VERSION: $($file.VersionInfo.FileVersion)"
Write-Host "MODIFIED: $($file.LastWriteTime)"
Write-Host "------------------------------------------------"
}
}
Write-Host "[!] Review versions against the CVE-2026-40138 advisory immediately."
} else {
Write-Host "[-] No BeyondTrust services found."
}
Remediation
- Patch Immediately: Apply the latest updates provided by BeyondTrust for Remote Support and Privileged Remote Access. Do not wait for a standard maintenance window.
- Verify Version: Use the script above or the vendor's administrative console to confirm all instances have been updated to a build patched against CVE-2026-40138.
- Network Isolation: If immediate patching is not possible, restrict management interfaces to strict allow-listed IP ranges (e.g., VPN subnets only) via network firewall rules.
- Audit Logs: Review access logs for the last 30 days for any administrative API calls or configuration changes that cannot be attributed to known administrators.
- Credential Rotation: If exploitation is suspected, treat the appliance as compromised and rotate all credentials stored within it (domain admin, local admin, and privileged account passwords).
Related Resources
Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.