BeyondTrust Tools RCE Vulnerability Allows Attackers Execute Arbitrary Code
A newly disclosed vulnerability in BeyondTrust’s Remote Support (RS) and Privileged Remote Access (PRA) products has raised alarms across the cybersecurity community.
The flaw, tracked as CVE-2025-5309 and detailed in advisory BT25-04, allows attackers to execute arbitrary code on affected servers via a Server-Side Template Injection (SSTI) vulnerability in the chat feature.
With a CVSSv4 score of 8.6, this high-severity issue could have far-reaching consequences for organizations relying on these widely used access management solutions.
Vulnerability Summary
The vulnerability stems from improper input handling in the chat feature of both RS and PRA.
Specifically, user-supplied input is not adequately escaped before being processed by the server-side template engine.
This oversight enables attackers to inject malicious template code, potentially resulting in the execution of arbitrary commands on the server.
Of particular concern, exploitation of the flaw in Remote Support does not require authentication, meaning even unauthenticated attackers could compromise vulnerable systems.
For Privileged Remote Access, the risk is similarly severe, as attackers could gain a foothold in environments designed to protect sensitive operations
| Field | Details |
| CVE ID | CVE-2025-5309 |
| CVSSv4 Score | 8.6 (High) |
| Severity | High |
| Synopsis | RCE via Server-Side Template Injection |
| Impacted Products | BeyondTrust Remote Support (RS), Privileged Remote Access (PRA) |
| Affected Versions | RS: 24.2.2–24.2.4, 24.3.1–24.3.3, 25.1.1 PRA: 24.2.2–24.2.4, 24.3.1–24.3.3, 25.1.1 |
| Fixed Versions | RS: Patched versions with HELP-10826-1/2 PRA: 25.1.2+, and patched earlier versions |
BeyondTrust has already deployed patches to all RS/PRA cloud customers as of June 16, 2025.
On-premise customers are urged to apply the relevant patches immediately, especially if their instances are not configured for automatic updates.
For those unable to patch Remote Support promptly, BeyondTrust recommends enabling SAML authentication for the public portal and enforcing session key usage to mitigate exploitation risk.
Given that exploitation of CVE-2025-5309 in Remote Support does not require authentication, organizations using affected BeyondTrust products should prioritize patching and review their security configurations.
Failure to address this vulnerability could result in a complete compromise of critical access management infrastructure.