BeyondTrust has disclosed a critical server-side template injection vulnerability affecting its Remote Support and Privileged Remote Access products, potentially allowing attackers to execute arbitrary code on affected systems.
The security vulnerability, tracked as CVE-2025-5309 and assigned a high-severity CVSSv4 score of 8.6, poses significant risks to organizations using these remote access tools.
The vulnerability, designated as Advisory ID BT25-04, stems from improper input escaping within the chat functionality of both Remote Support (RS) and Privileged Remote Access (PRA) components.
This server-side template injection weakness enables malicious actors to inject and execute arbitrary code within the server context, potentially compromising entire systems.
What makes this vulnerability particularly concerning is that Remote Support exploitation requires no authentication, significantly lowering the barrier for potential attackers.
The flaw affects multiple version ranges across both products, including Remote Support versions 24.2.2 to 24.2.4, 24.3.1 to 24.3.3, and 25.1.1, as well as corresponding Privileged Remote Access versions.
The timing of this disclosure is critical, as remote access tools have become essential components of modern IT infrastructure, particularly following the widespread adoption of remote work practices.
Organizations relying on these tools for technical support and privileged access management face immediate security risks until proper mitigation measures are implemented.
BeyondTrust Tools RCE Vulnerability
The vulnerability exploits weaknesses in template engine input handling, classified under CWE-94 (Improper Control of Generation of Code).
Server-side template injection attacks occur when user input is embedded into template engines without proper sanitization, allowing attackers to inject template directives that execute on the server side.
In this specific case, the chat feature within both affected products fails to adequately escape user-supplied input before passing it to the template engine.
This oversight creates an attack vector where malicious template syntax can be injected through chat interactions, subsequently processed by the server and executed with server privileges.
The network-accessible nature of the vulnerability, combined with low attack complexity and no required privileges for Remote Support exploitation, makes it an attractive target for cybercriminals.
The CVSSv4 vector string AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N indicates high impact on confidentiality, integrity, and availability of vulnerable systems.
Organizations using these products should prioritize patching efforts, as the combination of remote code execution capabilities and minimal authentication requirements creates significant security exposure that could lead to complete system compromise
Mitigations
BeyondTrust has already deployed patches to all cloud-based RS/PRA customers as of June 16, 2025, addressing the vulnerability across their managed infrastructure.
However, on-premise customers must take immediate action to protect their systems.
For organizations unable to immediately apply patches, BeyondTrust recommends several mitigation strategies.
Remote Support users should enable SAML authentication for the Public Portal and enforce session key usage by ensuring Session Keys are enabled while disabling the Representative List and Issue Submission Survey features.
The company has released specific patches for affected versions: HELP-10826-2 for versions 24.2.2 to 24.2.4 and 24.3.1 to 24.3.3, and HELP-10826-1 for version 25.1.1.
Privileged Remote Access users should upgrade to version 25.1.2 or apply the corresponding patches for their current versions.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
