CVE-2025-5309
published 2025-06-16CVE-2025-5309: The chat feature within Remote Support (RS) and Privileged Remote Access (PRA) is vulnerable to a Server-Side Template Injection vulnerability which can lead…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.88%
54.4th percentile
The chat feature within Remote Support (RS) and Privileged Remote Access (PRA) is vulnerable to a Server-Side Template Injection vulnerability which can lead to remote code execution.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| beyondtrust | privileged_remote_access | — | — |
| beyondtrust | privileged_remote_access | 24.2.2 – 24.2.4 | — |
| beyondtrust | privileged_remote_access | >= 24.3.1 < 24.3.4 | 24.3.4 |
| beyondtrust | remote_support | — | — |
| beyondtrust | remote_support | 24.2.2 – 24.2.4 | — |
| beyondtrust | remote_support | >= 24.3.1 < 24.3.4 | 24.3.4 |
| beyondtrust | remote_support_privileged_remote_access | — | — |
| beyondtrust | remote_support_privileged_remote_access | 24.2.2 – 24.2.4 | — |
| beyondtrust | remote_support_privileged_remote_access | 24.3.1 – 24.3.3 | — |
| linux | linux_kernel | >= 2.6.12 < 5.4.301 | 5.4.301 |
| linux | linux_kernel | >= 5.11.0 < 5.15.195 | 5.15.195 |
| linux | linux_kernel | >= 5.16.0 < 6.1.156 | 6.1.156 |
| linux | linux_kernel | >= 5.5.0 < 5.10.246 | 5.10.246 |
| linux | linux_kernel | >= 6.13.0 < 6.17.3 | 6.17.3 |
| linux | linux_kernel | >= 6.2.0 < 6.6.112 | 6.6.112 |
| linux | linux_kernel | >= 6.7.0 < 6.12.53 | 6.12.53 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability class is Server-Side Template Injection (SSTI) in the chat feature of BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA); detect malicious template expressions injected via chat input fields targeting the template engine. ↗
- →For Remote Support, exploitation does NOT require authentication — monitor for unauthenticated requests to chat/public portal endpoints that contain template injection payloads (e.g., expressions using `{{`, `${`, `#{}`, `<#`, etc.). ↗
- ·Mitigation (not a fix) for on-premises deployments: enable SAML authentication for the Public Portal to require authentication before reaching the vulnerable chat feature, reducing pre-auth attack surface. ↗
- ·Additional mitigation: disable the Representative List and the Issue Submission Survey, and ensure session keys are enabled — this limits unauthenticated access paths to the chat feature. ↗
- ·BeyondTrust RS/PRA cloud systems were patched as of June 16, 2025; on-premises customers must apply the patch manually if automatic updates are not enabled. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
fs: udf: fix OOB read in lengthAllocDescs handling
osv·2025-10-28
CVE-2025-40044 fs: udf: fix OOB read in lengthAllocDescs handling
fs: udf: fix OOB read in lengthAllocDescs handling
In the Linux kernel, the following vulnerability has been resolved:
fs: udf: fix OOB read in lengthAllocDescs handling
When parsing Allocation Extent Descriptor, lengthAllocDescs comes from
on-disk data and must be validated against the block size. Crafted or
corrupted images may set lengthAllocDescs so that the total descriptor
length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer,
leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and
trigger a KASAN use-after-free read.
BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309
CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8
GHSA
GHSA-gqmv-wgq3-w6p3: The chat feature within Remote Support (RS) and Privileged Remote Access (PRA) is vulnerable to a Server-Side Template Injection vulnerability which c
ghsa_unreviewed·2025-06-16
CVE-2025-5309 [HIGH] CWE-94 GHSA-gqmv-wgq3-w6p3: The chat feature within Remote Support (RS) and Privileged Remote Access (PRA) is vulnerable to a Server-Side Template Injection vulnerability which c
The chat feature within Remote Support (RS) and Privileged Remote Access (PRA) is vulnerable to a Server-Side Template Injection vulnerability which can lead to remote code execution.
Red Hat
kernel: fs: udf: fix OOB read in lengthAllocDescs handling
vendor_redhat·2025-10-28·CVSS 5.5
CVE-2025-40044 [MEDIUM] kernel: fs: udf: fix OOB read in lengthAllocDescs handling
kernel: fs: udf: fix OOB read in lengthAllocDescs handling
In the Linux kernel, the following vulnerability has been resolved:
fs: udf: fix OOB read in lengthAllocDescs handling
When parsing Allocation Extent Descriptor, lengthAllocDescs comes from
on-disk data and must be validated against the block size. Crafted or
corrupted images may set lengthAllocDescs so that the total descriptor
length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer,
leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and
trigger a KASAN use-after-free read.
BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309
CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g8509
No detection rules found.
No public exploits indexed.
Bleepingcomputer
BeyondTrust warns of pre-auth RCE in Remote Support software
blogs_bleepingcomputer·2025-06-18·CVSS 8.6
[HIGH] BeyondTrust warns of pre-auth RCE in Remote Support software
## BeyondTrust warns of pre-auth RCE in Remote Support software
## Sergiu Gatlan
BeyondTrust has released security updates to fix a high-severity flaw in its Remote Support (RS) and Privileged Remote Access (PRA) solutions that can let unauthenticated attackers gain remote code execution on vulnerable servers.
Remote Support is BeyondTrust's enterprise-grade remote support solution that helps IT support teams troubleshoot issues by remotely connecting to systems and devices, while Privileged Remote Access acts as a secure gateway and ensures that users can only access the specific systems and resources they're authorized to use.
Tracked as CVE-2025-5309, this Server-Side Template Injection vulnerability was discovered by Jorren Geurts of Resillion in the chat feature of BeyondTrust RS/
Wiz
CVE-2026-1731 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1731 [CRITICAL] CVE-2026-1731 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1731 :
BeyondTrust Privileged Remote Access Client vulnerability analysis and mitigation
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user.
Source : NVD
## 9.9
Score
Published February 6, 2026
Severity CRITICAL
CNA Score 9.9
High-profile Vulnerability Yes
Affected Technologies
BeyondTrust Privileged Remote Access Client
BeyondTrust Remote Support Client
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9
Bugzilla
CVE-2025-40044 kernel: fs: udf: fix OOB read in lengthAllocDescs handling
bugzilla·2025-10-28
CVE-2025-40044 [MEDIUM] CVE-2025-40044 kernel: fs: udf: fix OOB read in lengthAllocDescs handling
CVE-2025-40044 kernel: fs: udf: fix OOB read in lengthAllocDescs handling
In the Linux kernel, the following vulnerability has been resolved:
fs: udf: fix OOB read in lengthAllocDescs handling
When parsing Allocation Extent Descriptor, lengthAllocDescs comes from
on-disk data and must be validated against the block size. Crafted or
corrupted images may set lengthAllocDescs so that the total descriptor
length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer,
leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and
trigger a KASAN use-after-free read.
BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60
Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309
CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-sy
2025-06-16
Published