A high-severity distant code execution vulnerability has been recognized in BeyondTrust’s Distant Help and Privileged Distant Entry platforms, probably permitting attackers to execute arbitrary code on affected methods.
The vulnerability, tracked as CVE-2025-5309, carries a CVSSv4 rating of 8.6 and was responsibly disclosed by safety researcher Jorren Geurts of Resillion.
Server-Aspect Template Injection
The vulnerability stems from a Server-Aspect Template Injection (SSTI) flaw categorized beneath CWE-94, which impacts the chat function inside each Distant Help (RS) and Privileged Distant Entry (PRA) parts.
The CVSSv4 vector AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N signifies that the vulnerability might be exploited over the community with low complexity and requires no privileges, although person interplay is important.
The underlying concern happens as a result of the affected methods fail to correctly escape person enter meant for the template engine, creating a chance for malicious template injection.
What makes this vulnerability notably regarding is that exploitation of Distant Help methods doesn’t require authentication, considerably decreasing the barrier for potential attackers.
The template injection mechanism permits attackers to inject malicious code that will get processed by the server-side template engine, in the end resulting in arbitrary code execution within the context of the weak server.
The vulnerability impacts a number of variations of each Distant Help and Privileged Distant Entry platforms, particularly variations 24.2.2 to 24.2.4, 24.3.1 to 24.3.3, and 25.1.1.
Organizations operating these affected variations are vulnerable to having their methods compromised by the chat performance.
The excessive CVSS rating displays the extreme potential influence, with the vulnerability enabling attackers to realize excessive confidentiality, integrity, and availability influence on weak methods.
Threat FactorsDetailsAffected ProductsRemote Help and Privileged Distant Entry platforms variations 24.2.2 to 24.2.4, 24.3.1 to 24.3.3, and 25.1.1. ImpactRemote Code Execution (RCE) by way of Server-Aspect Template InjectionExploit PrerequisitesUnauthenticated community entry to Public PortalCVSS 3.1 Score8.6 (Excessive)
Mitigations
BeyondTrust has responded swiftly to deal with this vulnerability, routinely making use of patches to all Distant Help and Privileged Distant Entry cloud prospects as of June 16, 2025.
On-premise prospects should manually apply the suitable patches except their situations are configured for automated updates by the /equipment interface.
For Distant Help methods, the patches embody HELP-10826-2 for variations 24.2.2 to 24.2.4 and 24.3.1 to 24.3.3, and HELP-10826-1 for model 25.1.1.
Privileged Distant Entry customers ought to improve to model 25.1.2 or apply the corresponding HELP-10826 patches for his or her particular variations.
Organizations unable to right away apply patches can implement non permanent mitigation measures, together with enabling SAML authentication for the Public Portal and implementing session key utilization by making certain Session Keys are enabled whereas disabling the Consultant Record and Subject Submission Survey options.
These interim controls assist scale back the assault floor whereas organizations plan their patching schedules. Safety groups ought to prioritize these updates given the excessive severity score and the potential for unauthenticated exploitation in Distant Help environments.
Automate risk response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs throughout all endpoints -> Request full entry
