cbcvebase.
CVE-2025-69516
published 2026-01-29

CVE-2025-69516: A Server-Side Template Injection (SSTI) vulnerability in the /reporting/templates/preview/ endpoint of Amidaware Tactical RMM, affecting versions equal to or…

PriorityP267high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
2.10%
79.4th percentile
A Server-Side Template Injection (SSTI) vulnerability in the /reporting/templates/preview/ endpoint of Amidaware Tactical RMM, affecting versions equal to or earlier than v1.3.1, allows low-privileged users with Report Viewer or Report Manager permissions to achieve remote command execution on the server. This occurs due to improper sanitization of the template_md parameter, enabling direct injection of Jinja2 templates. This occurs due to misuse of the generate_html() function, the user-controlled value is inserted into `env.from_string`, a function that processes Jinja2 templates arbitrarily, making an SSTI possible.

Affected

1 ranges
VendorProductVersion rangeFixed in
amidawaretactical_rmm< 1.4.01.4.0

Detection & IOCsextracted from sources · hover to see the quote

url/reporting/templates/preview/
pathlinux/http/tacticalrmm_ssti_rce_cve_2025_69516
  • Monitor POST requests to the /reporting/templates/preview/ endpoint for Jinja2 template injection patterns in the `template_md` parameter (e.g., {{ }}, {% %}, Python dunder/subclass traversal expressions).
  • Alert on use of `env.from_string` / `Environment.from_string()` with user-controlled input in Tactical RMM's reporting code path, as this is the vulnerable sink that enables arbitrary Python execution.
  • Detect Knox API token acquisition followed immediately by requests to the template preview endpoint — the exploit authenticates to obtain a Knox API token before delivering the SSTI payload.
  • Flag use of `tee` in command payloads delivered via the template preview endpoint; the Metasploit module specifically uses `tee` to avoid redirect operators that would otherwise break exploitation.
  • Restrict access to the /reporting/templates/preview/ endpoint to high-privileged roles only; the vulnerability is exploitable by low-privileged Report Viewer or Report Manager accounts.
  • ·The vulnerability was silently patched in Tactical RMM v1.4.0 by replacing jinja2.Environment with jinja2.sandbox.SandboxedEnvironment. Versions v1.3.1 and earlier are confirmed vulnerable.
  • ·Valid credentials (any account with Report Viewer or Report Manager permissions) are required to exploit this vulnerability — it is not unauthenticated.
  • ·The Metasploit module includes a fix for an edge case where an out-of-range revision value in HTTP requests causes the exploit to fail; ensure any custom exploit tooling uses valid revision IDs.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.