CVE-2025-69516
published 2026-01-29CVE-2025-69516: A Server-Side Template Injection (SSTI) vulnerability in the /reporting/templates/preview/ endpoint of Amidaware Tactical RMM, affecting versions equal to or…
PriorityP267high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
2.10%
79.4th percentile
A Server-Side Template Injection (SSTI) vulnerability in the /reporting/templates/preview/ endpoint of Amidaware Tactical RMM, affecting versions equal to or earlier than v1.3.1, allows low-privileged users with Report Viewer or Report Manager permissions to achieve remote command execution on the server. This occurs due to improper sanitization of the template_md parameter, enabling direct injection of Jinja2 templates. This occurs due to misuse of the generate_html() function, the user-controlled value is inserted into `env.from_string`, a function that processes Jinja2 templates arbitrarily, making an SSTI possible.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| amidaware | tactical_rmm | < 1.4.0 | 1.4.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to the /reporting/templates/preview/ endpoint for Jinja2 template injection patterns in the `template_md` parameter (e.g., {{ }}, {% %}, Python dunder/subclass traversal expressions). ↗
- →Alert on use of `env.from_string` / `Environment.from_string()` with user-controlled input in Tactical RMM's reporting code path, as this is the vulnerable sink that enables arbitrary Python execution. ↗
- →Detect Knox API token acquisition followed immediately by requests to the template preview endpoint — the exploit authenticates to obtain a Knox API token before delivering the SSTI payload. ↗
- →Flag use of `tee` in command payloads delivered via the template preview endpoint; the Metasploit module specifically uses `tee` to avoid redirect operators that would otherwise break exploitation. ↗
- →Restrict access to the /reporting/templates/preview/ endpoint to high-privileged roles only; the vulnerability is exploitable by low-privileged Report Viewer or Report Manager accounts. ↗
- ·The vulnerability was silently patched in Tactical RMM v1.4.0 by replacing jinja2.Environment with jinja2.sandbox.SandboxedEnvironment. Versions v1.3.1 and earlier are confirmed vulnerable. ↗
- ·Valid credentials (any account with Report Viewer or Report Manager permissions) are required to exploit this vulnerability — it is not unauthenticated. ↗
- ·The Metasploit module includes a fix for an edge case where an out-of-range revision value in HTTP requests causes the exploit to fail; ensure any custom exploit tooling uses valid revision IDs. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
2026-01-29
Published