A critical Server-Side Template Injection (SSTI) vulnerability (CVE-2025-5309) in BeyondTrust’s Remote Support (RS) and Privileged Remote Access (PRA) solutions enables unauthenticated attackers to execute arbitrary code on affected systems.
Rated 8.6 CVSSv4 (High severity), this flaw impacts on-premise installations running versions 24.2.2–25.1.1, with cloud instances already patched as of June 16, 2025.
Template Injection Mechanism
The vulnerability stems from improper input sanitization in the chat feature’s template engine.
Attackers can inject malicious payloads like {{7*7}} to test template evaluation or escalate to RCE using crafted expressions such as:
python{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}
This allows execution of OS commands via the server’s context, bypassing authentication in RS instances.
The CWE-94 weakness highlights improper control of code generation during template rendering.
Risk Assessment and CVSSv4 Breakdown
| Metric | Rating |
|---|---|
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low |
| Privileges Required (PR) | None |
| User Interaction (UI) | Active |
| Confidentiality (VC) | High |
| Integrity (VI) | High |
| Availability (VA) | High |
| Base Score | 8.6 |
The CVSSv4 vector AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H reflects widespread exploitability due to network accessibility and low attack barriers.
Mitigation Strategies and Patch Deployment
BeyondTrust released patches (HELP-10826-1/2) for on-premise installations, with fixed versions including:
| Product | Patched Versions |
|---|---|
| Remote Support | 24.2.4+, 24.3.3+, 25.1.1+ |
| Privileged Remote Access | 24.2.4+, 24.3.3+, 25.1.2+ |
For unpatched systems, administrators should:
- Enable SAML authentication for RS Public Portals
- Enforce session keys and disable Representative List/IoS Survey features
- Monitor
/applianceinterfaces for update compliance
Security teams are advised to audit template rendering logic in custom applications, referencing PortSwigger’s SSTI detection methodology.
This vulnerability underscores the risks of insufficient input validation in template engines, particularly in privileged access tools.
Organizations using affected BeyondTrust products should prioritize patch deployment and review authentication workflows to prevent exploitation.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=Rated 8.6 CVSSv4 (High severity), this flaw impacts on-premise installations running versions 24.2.2–25.1.1, with cloud instances already patched as of June 16, 2025.){kind=link}