CVE-2025-5309

Published: Jun 16, 2025Modified: Aug 21, 2025

8.6

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: 13061848-ea10-403d-bd75-c83a022c2891 (Secondary)

Description

The chat feature within Remote Support (RS) and Privileged Remote Access (PRA) is vulnerable to a Server-Side Template Injection vulnerability which can lead to remote code execution.

Affected (6)

Products: Beyondtrust: Privileged Remote Access, Remote Support

Beyondtrust

2 products

Privileged Remote Access

Remote Support

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Beyondtrust Privileged Remote Access	From 24.2.2 to 24.2.4
Beyondtrust Privileged Remote Access	From 24.3.1 to 24.3.4
Beyondtrust Privileged Remote Access	Version 25.1.1
Beyondtrust Remote Support	From 24.2.2 to 24.2.4
Beyondtrust Remote Support	From 24.3.1 to 24.3.4
Beyondtrust Remote Support	Version 25.1.1

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (1)

https://www.beyondtrust.com/trust-center/security-advisories/bt25-04

Source: 13061848-ea10-403d-bd75-c83a022c2891

MitigationVendor Advisory

Timeline

No history available yet.