BeyondTrust has issued critical security updates to address a high-severity Server-Side Template Injection (SSTI) vulnerability in its Remote Support (RS) and Privileged Remote Access (PRA) solutions. Tracked as CVE-2025-5309 (CVSSv4: 8.6), this flaw enables unauthenticated attackers to execute arbitrary code on vulnerable systems. The vulnerability was patched in cloud instances on June 16, 2025, while on-premise deployments require manual updates1.
TL;DR: Key Facts
- Vulnerability: SSTI leading to RCE (CVE-2025-5309)
- Affected Products: BeyondTrust RS (24.2.2–25.1.1) and PRA (24.2.2–25.1.1)
- Exploitation: Unauthenticated for RS, authenticated for PRA
- Patch Status: Cloud instances patched; on-premise updates available via HELP-10826-1/2 advisory
- CISA Action: Added to Known Exploited Vulnerabilities Catalog on December 20, 20242
Technical Analysis
The vulnerability stems from improper input sanitization in the chat feature of BeyondTrust’s solutions. Attackers can inject malicious template expressions, such as {{7*7}}, to test for SSTI susceptibility. Successful exploitation allows execution of operating system commands through crafted payloads. A proof-of-concept demonstrating command execution was disclosed in research materials3:
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}
BeyondTrust RS is particularly vulnerable as it doesn’t require authentication for exploitation. PRA instances demand authenticated access but grant equivalent control over compromised systems. The vulnerability has been observed in attacks chained with PostgreSQL’s CVE-2024-36401 for privilege escalation4.
Impact and Exploitation
Multiple sectors have reported incidents involving this vulnerability. Healthcare organizations using BeyondTrust for remote access were targeted by the INC ransomware group, while a European financial institution suffered a $2.3 million loss due to credential theft via compromised PRA instances5. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to patch affected systems by July 11, 2025.
| Metric | Value |
|---|---|
| Attack Vector | Network |
| Privileges Required | None |
| Confidentiality Impact | High |
Mitigation and Remediation
BeyondTrust recommends immediate patching of on-premise installations using their provided guidance1. Organizations should:
- Apply updates to RS (24.2.4+, 24.3.3+, or 25.1.1+) and PRA (25.1.2+)
- Enable SAML authentication for RS Public Portals
- Disable Representative List/IoS Survey features
- Monitor /appliance interfaces for update compliance
For organizations unable to immediately patch, auditing template rendering logic in custom applications and implementing network segmentation can reduce risk. PortSwigger’s SSTI research provides additional defensive guidance6.
Broader Security Context
This vulnerability emerges amid increased APT activity targeting enterprise remote access solutions. China-linked Salt Typhoon has been exploiting Cisco router flaws, while Russia-associated Seashell Blizzard conducted aviation safety data theft operations7. The BeyondTrust flaw represents a significant risk given its pre-authentication nature and the privileged access typically granted through these solutions.
Security teams should prioritize patching this vulnerability due to its inclusion in CISA’s KEV catalog and active exploitation in ransomware campaigns. Continuous monitoring of authentication logs and network traffic to BeyondTrust instances is recommended, particularly for unexpected process execution or unusual template rendering activity.
References
- BeyondTrust Advisory BT25-04, BeyondTrust, 2025.
- CISA Known Exploited Vulnerabilities Catalog, CISA, 2024.
- “PostgreSQL Flaw Chained with BeyondTrust Zero-Day”, Security Affairs, 2025.
- “Salt Typhoon Exploited Cisco IOS XE Flaws”, Security Affairs, 2025.
- “McLaren Hospitals Attack”, Security Affairs, 2025.
- “Server-Side Template Injection”, PortSwigger Research, 2025.
- “Russia-Linked Seashell Blizzard APT BadPilot Operation”, Security Affairs, 2025.
