CVE-2026-40140
BeyondTrust Privileged Remote Access Client Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-40140 is a pre-authentication denial-of-service vulnerability in the network communication subsystem of BeyondTrust Remote Support and Privileged Remote Access (PRA). Insufficient validation of client-supplied input allows an unauthenticated remote attacker to trigger a denial-of-service condition affecting appliance availability. Affected versions include Remote Support and Privileged Remote Access prior to 25.3.3 and prior to 26.2.1. The vulnerability was published on July 6, 2026, and carries a CVSS v4.0 base score of 8.7 (High) (GitHub Advisory, BeyondTrust Advisory).

Détails techniques

The root cause is classified as CWE-400 (Uncontrolled Resource Consumption), where the network communication subsystem fails to properly validate or limit client-supplied input, enabling resource exhaustion. An unauthenticated attacker can send specially crafted network requests to the affected appliance without any prior authentication, privileges, or user interaction required. The attack vector is network-based with low complexity and no special preconditions, making it automatable. No public proof-of-concept code has been identified at this time (GitHub Advisory, BeyondTrust Advisory).

Impact

Successful exploitation results in a denial-of-service condition that renders the BeyondTrust Remote Support or Privileged Remote Access appliance unavailable. The impact is limited to availability — there is no evidence of confidentiality or integrity compromise from this vulnerability alone. However, disruption of these appliances can significantly affect business continuity, as they are commonly used for enterprise remote access and privileged session management, potentially blocking legitimate administrative and support operations (GitHub Advisory).

Atténuation et solutions de contournement

BeyondTrust has released patched versions addressing this vulnerability: Remote Support and Privileged Remote Access versions 25.3.3 and 26.2.1 or later are not affected. Organizations should upgrade to these fixed versions as the primary remediation step. As interim workarounds, administrators should isolate or restrict network access to BeyondTrust appliances to trusted networks only, implement network-level filtering to limit exposure of the affected communication subsystem, and monitor for anomalous traffic patterns indicative of denial-of-service attempts (BeyondTrust Advisory).

Réactions de la communauté

Coverage of CVE-2026-40140 appeared alongside related BeyondTrust vulnerabilities (CVE-2026-40138, CVE-2026-40139), with outlets such as BleepingComputer, The Hacker News, and CybersecurityNews reporting on the broader set of critical flaws in BeyondTrust remote access products (BleepingComputer, The Hacker News). Security researchers noted that self-hosted BeyondTrust servers may have been left exposed for extended periods prior to patching. Community sentiment highlighted the sensitivity of the affected products given their role in privileged access management within enterprise environments.

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté BeyondTrust Privileged Remote Access Client Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-1731CRITICAL9.9
  • BeyondTrust Privileged Remote Access Client logoBeyondTrust Privileged Remote Access Client
  • cpe:2.3:a:beyondtrust:privileged_remote_access
OuiOuiFeb 06, 2026
CVE-2026-40139CRITICAL9.2
  • BeyondTrust Privileged Remote Access Client logoBeyondTrust Privileged Remote Access Client
  • cpe:2.3:a:beyondtrust:privileged_remote_access
NonOuiJul 06, 2026
CVE-2026-40138CRITICAL9.2
  • BeyondTrust Privileged Remote Access Client logoBeyondTrust Privileged Remote Access Client
  • cpe:2.3:a:beyondtrust:privileged_remote_access
NonOuiJul 06, 2026
CVE-2026-40140HIGH8.7
  • BeyondTrust Privileged Remote Access Client logoBeyondTrust Privileged Remote Access Client
  • cpe:2.3:a:beyondtrust:remote_support
NonOuiJul 06, 2026
CVE-2026-40141HIGH8.5
  • BeyondTrust Privileged Remote Access Client logoBeyondTrust Privileged Remote Access Client
  • cpe:2.3:a:beyondtrust:privileged_remote_access
NonOuiJul 06, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités