BeyondTrust Tools RCE Vulnerability Let Attackers Execute Arbitrary Code

A high-severity remote code execution vulnerability has been identified in BeyondTrust’s Remote Support and Privileged Remote Access platforms, potentially allowing attackers to execute arbitrary code on affected systems. 

The vulnerability, tracked as CVE-2025-5309, carries a CVSSv4 score of 8.6 and was responsibly disclosed by security researcher Jorren Geurts of Resillion. 

Server-Side Template Injection 

The vulnerability stems from a Server-Side Template Injection (SSTI) flaw categorized under CWE-94, which affects the chat feature within both Remote Support (RS) and Privileged Remote Access (PRA) components. 

The CVSSv4 vector AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N indicates that the vulnerability can be exploited over the network with low complexity and requires no privileges, though user interaction is necessary. 

The underlying issue occurs because the affected systems fail to properly escape user input intended for the template engine, creating an opportunity for malicious template injection. 

What makes this vulnerability particularly concerning is that exploitation of Remote Support systems does not require authentication, significantly lowering the barrier for potential attackers. 

The template injection mechanism allows attackers to inject malicious code that gets processed by the server-side template engine, ultimately leading to arbitrary code execution in the context of the vulnerable server.

The vulnerability affects several versions of both Remote Support and Privileged Remote Access platforms, specifically versions 24.2.2 to 24.2.4, 24.3.1 to 24.3.3, and 25.1.1. 

Organizations running these affected versions are at risk of having their systems compromised through the chat functionality. 

The high CVSS score reflects the severe potential impact, with the vulnerability enabling attackers to achieve high confidentiality, integrity, and availability impact on vulnerable systems. 

Mitigations

BeyondTrust has responded swiftly to address this vulnerability, automatically applying patches to all Remote Support and Privileged Remote Access cloud customers as of June 16, 2025. 

On-premise customers must manually apply the appropriate patches unless their instances are configured for automatic updates through the /appliance interface. 

For Remote Support systems, the patches include HELP-10826-2 for versions 24.2.2 to 24.2.4 and 24.3.1 to 24.3.3, and HELP-10826-1 for version 25.1.1. 

Privileged Remote Access users should upgrade to version 25.1.2 or apply the corresponding HELP-10826 patches for their specific versions. 

Organizations unable to immediately apply patches can implement temporary mitigation measures, including enabling SAML authentication for the Public Portal and enforcing session key usage by ensuring Session Keys are enabled while disabling the Representative List and Issue Submission Survey features. 

These interim controls help reduce the attack surface while organizations plan their patching schedules. Security teams should prioritize these updates given the high severity rating and the potential for unauthenticated exploitation in Remote Support environments.

Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access