The Login Screen Was the Vulnerability
BeyondTrust disclosed four flaws in its Remote Support (RS) and Privileged Remote Access (PRA) software this year, and the two most severe share a specific shape: they let an unauthenticated attacker walk past the login entirely. CVE-2026-40138 stems from improper authentication in the RS/PRA authentication subsystem itself. CVE-2026-40139 comes from how the software processes authentication requests. Neither requires a stolen password. Both were patched for cloud customers on April 21, 2026, with self-hosted operators told to apply the April rollup or upgrade to version 25.3.3. The remaining two CVEs are rated high severity; they affect related components but require some level of prior access.
The Same Month, a Different Vendor
WebPulse's threat catalog logged a similar class of flaw the same month, in different software: CVE-2026-41940, an authentication bypass in WebPros cPanel and WHM affecting the WP2 login flow, entered the CISA Known Exploited Vulnerabilities catalog on April 30, 2026. BeyondTrust RS/PRA is remote support and privileged session tooling; cPanel/WHM is a web hosting control panel. They are structurally different products, but both grant privileged infrastructure control via a web-accessible login — and both had that login bypassed. Two auth-bypass disclosures in a single month across unrelated administrative and privileged-access tools is noteworthy, though whether this reflects a structural pattern or coincidence requires more data.
What's Still Reachable
Patching a vendor advisory and closing the exposure gap are two different milestones. Shadowserver's internet-wide scans counted roughly 2,000 BeyondTrust RS and PRA instances still reachable from the open internet as of the July 2026 disclosure period, with patch status across that population not verified. BeyondTrust has not reported confirmed exploitation, and the count includes patched and unpatched instances alike. What the number establishes is scale of reachability, not confirmed compromise — the distinction WebPulse's own catalog draws between a listed CVE and a CISA KEV entry with documented in-the-wild use.
The Trust Boundary Behind the Trust Boundary
Remote Support and Privileged Remote Access exist to grant a human technician temporary, logged control of another system — a support engineer resolving a ticket, an admin pushing a patch. WebPulse's broader thesis — that infrastructure interfaces are increasingly consumed by automated processes alongside human operators — suggests an authentication bypass at this layer carries implications beyond the immediate patch cycle. It removes the checkpoint both a human operator and an automated process are supposed to pass through. Authentication-bypass flaws in administrative and privileged-access software have appeared among recent CISA KEV additions, alongside the WordPress plugin ecosystem, where separate KEV entries trace back to the same category of authentication and access-control failure.
What Budget Signers Should Track
The actionable data point isn't the CVE count, it's the exposure count. Organizations running RS, PRA, or comparable privileged-access software have a concrete inventory question to answer: is the instance patched, and is it internet-facing when it doesn't need to be. Neither question requires a security team to interpret a CVSS score — both are answerable from an asset list, which is the same starting point WebPulse applies when it scans detected frameworks for unpatched, internet-facing software rather than assuming coverage.


