BeyondTrust has released security updates to fix a high-severity flaw in its Remote Support (RS) and Privileged Remote Access (PRA) solutions that can let unauthenticated attackers gain remote code execution on vulnerable servers.
Remote Support is BeyondTrust's enterprise-grade remote support solution that helps IT support teams troubleshoot issues by remotely connecting to systems and devices, while Privileged Remote Access acts as a secure gateway and ensures that users can only access the specific systems and resources they're authorized to use.
Tracked as CVE-2025-5309, this Server-Side Template Injection vulnerability was discovered by Jorren Geurts of Resillion in the chat feature of BeyondTrust RS/PRA.
"Remote Support and Privileged Remote Access components do not properly escape input intended for the template engine, leading to a potential template injection vulnerability," the company explained.
"This flaw may allow an attacker to execute arbitrary code in the context of the server. Notably, in the case of Remote Support, exploitation does not require authentication."
BeyondTrust has patched all RS/PRA cloud systems as of June 16, 2025, and advised on-premises customers to apply the patch manually if they haven't enabled automatic updates.
Administrators who cannot deploy the security patches right away can mitigate the risk of exploitation for CVE-2025-5309 by enabling SAML authentication for the Public Portal. They should also enforce the use of session keys by disabling the Representative List and the Issue Submission Survey while ensuring that session keys are turned on.
Product Fixed version Remote Support 24.2.2 to 24.2.4 with HELP-10826-2 Patch Remote Support 24.3.1 to 24.3.3 with HELP-10826-2 Patch Remote Support 24.3.4 and any future 24.3.x release Privileged Remote Access 25.1.1 with HELP-10826-1 Patch Privileged Remote Access 25.1.2 and above Privileged Remote Access 24.2.2 to 24.2.4 with HELP-10826-2 Patch Privileged Remote Access 24.3.1 to 24.3.3 with HELP-10826-2 Patch Privileged Remote Access 25.1.1 with HELP-10826-1 Patch
While the company didn't say this vulnerability has been exploited in the wild, other BeyondTrust RS/PRA security flaws have been targeted in attacks in recent years.
More recently, the company disclosed in early December that attackers breached its systems using two RS/PRA zero-day bugs (CVE-2024-12356 and CVE-2024-12686) and a PostgreSQL zero-day (CVE-2025-1094). They also stole an API key during the breach, which was used to compromise 17 Remote Support SaaS instances.
... continue reading