Veeam and BeyondTrust on Tuesday introduced patches for a number of vulnerabilities that might be exploited to execute arbitrary code.
BeyondTrust launched fixes for a high-severity safety defect in its Distant Help (RS) and Privileged Distant Entry (PRA) merchandise, warning that it may possibly result in distant code execution (RCE) by template injection.
Tracked as CVE-2025-5309 (CVSS rating of 8.6), the flaw is described as a server-side template injection difficulty within the chat characteristic of RS and PRA.
The bug exists as a result of enter supposed for the template engine will not be correctly escaped, and permits attackers to execute code within the context of the server. Attackers can exploit the vulnerability towards RS deployments with out authentication.
In keeping with BeyondTrust, the flaw impacts RS and PRA variations 24.2.2 to 24.2.4, 24.3.1 to 24.3.3, and 25.1.1. Patches had been rolled out for all affected cloud iterations and can be found for obtain for on-premises deployments.
Veeam on Tuesday introduced the discharge of Veeam Backup & Replication 12.3.2 with fixes for 2 safety defects that would result in code execution.
The primary, tracked as CVE-2025-23121 (CVSS rating of 9.9), is a essential bug that permits a distant, authenticated area person to execute arbitrary code on the Backup Server.
The second, tracked as CVE-2025-24286, is a high-severity difficulty that permits an attacker authenticated as a Backup Operator to tamper with backup jobs, which might result in code execution.Commercial. Scroll to proceed studying.
Moreover, Veeam resolved a medium-severity vulnerability in Veeam Agent for Microsoft Home windows that would permit native customers with System privileges to switch listing contents and execute arbitrary code.
Neither BeyondTrust nor Veeam point out any of those safety defects being exploited within the wild. Nevertheless, risk actors have been noticed exploiting flaws of their merchandise and customers are suggested to replace their installations as quickly as attainable.
Associated: Organizations Warned of Vulnerability Exploited In opposition to Discontinued TP-Hyperlink Routers
Associated: Asus Armoury Crate Vulnerability Results in Full System Compromise
Associated: Cisco Patches Excessive-Severity DoS, Privilege Escalation Vulnerabilities
Associated: GitLab, Atlassian Patch Excessive-Severity Vulnerabilities
