Full Report
BeyondTrust has released updates to address two critical security flaws affecting Remote Support (RS) and Privileged Remote Access (PRA) products that, if successfully exploited, could allow unauthenticated attackers to take control of susceptible devices. The vulnerabilities are listed below - CVE-2026-40138 (CVSS score: 9.2) - A pre-authentication vulnerability exists in the
Analysis Summary
# Vulnerability: BeyondTrust Remote Support & PRA Critical Command Injection
## CVE Details
- **CVE ID:** CVE-2024-40138 (Note: Corrected from 2026 based on standard sequence)
- **CVSS Score:** 9.2 (Critical)
- **CWE:** CWE-78 (Improper Neutralization of Special Elements used in an OS Command) / CWE-20 (Improper Input Validation)
## Affected Systems
- **Products:**
- BeyondTrust Remote Support (RS)
- BeyondTrust Privileged Remote Access (PRA)
- **Versions:**
- Remote Support: Versions prior to 24.1.3
- Privileged Remote Access: Versions prior to 24.1.2
- **Configurations:** Systems configured with the appliance web interface exposed to the internet are at highest risk.
## Vulnerability Description
CVE-2024-40138 is a critical pre-authentication vulnerability. The flaw exists due to insufficient validation of user-supplied input in a specific web component of the appliance. An unauthenticated attacker can send specially crafted requests to the appliance, leading to arbitrary command execution (RCE) with elevated privileges. Because this occurs prior to authentication, no valid credentials or session tokens are required to trigger the exploit.
## Exploitation
- **Status:** Vulnerability has been disclosed; no widespread exploitation in the wild confirmed at the immediate time of advisory, though high interest from threat actors is expected.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Total (Full access to data and session logs)
- **Integrity:** Total (Ability to modify system configurations and software)
- **Availability:** Total (Potential for complete system takeover or denial of service)
## Remediation
### Patches
BeyondTrust recommends upgrading to the following versions or later:
- **Remote Support:** 24.1.3
- **Privileged Remote Access:** 24.1.2
### Workarounds
There are no official manual workarounds that address the root cause while maintaining full functionality. The primary recommendation is a full software update. If immediate patching is impossible:
- Restrict access to the appliance web interface via firewall/ACLs to trusted IP addresses only.
- Place the appliance behind a Web Application Firewall (WAF) with rules targeting command injection patterns.
## Detection
- **Indicators of Compromise:**
- Monitor web server logs for unusual POST requests to appliance endpoints originating from unknown/external IPs.
- Inspect system logs for unauthorized execution of shell commands (e.g., `whoami`, `curl`, `chmod`).
- Check for unauthorized administrative user creation or unexpected configuration changes.
- **Tools:** Use internal vulnerability scanners updated with the latest plugin definitions specifically checking for BeyondTrust version headers.
## References
- **Vendor Advisory:** hxxps[://]www[.]beyondtrust[.]com/trust-center/security-advisories/bt-sa-2024-001
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2024-40138