CVE-2025-5309: RCE in BeyondTrust Chat Feature Affects Remote Support and PRA

A recently disclosed security flaw in BeyondTrust’s Remote Support and Privileged Remote Access products has drawn attention for its potential to allow Remote Code Execution (RCE) through a chat feature. This high-severity issue is tracked under CVE-2025-5309 and highlights the ongoing risk posed by server-side template injection (SSTI) in widely used IT management platforms.

What is CVE-2025-5309?

CVE-2025-5309 (CVSSv4 8.6 & CVSSv3 9.8) is categorized under CWE-94, denoting improper control of code generation, and its vector indicates exploitation is possible remotely, without authentication, and with a high potential for confidentiality and integrity impacts.

CVE-2025-5309 (SOCRadar Vulnerability Intelligence)

This vulnerability stems from how BeyondTrust’s chat interface handles user input. Specifically, the application fails to sanitize inputs before passing them into a server-side template engine, a mechanism designed to render dynamic web content. Insecure handling of this data allows malicious actors to craft special template syntax that the engine executes, turning a simple message input into a command execution mechanism.

In the Remote Support product, the chat function can be accessed without any authentication. This dramatically expands the threat surface, as even unauthenticated external actors can potentially exploit the flaw over the internet.

Which BeyondTrust Products and Versions Are Affected?

The following product versions are confirmed vulnerable:

Remote Support: 24.2.2 to 24.2.4, 24.3.1 to 24.3.3, and 25.1.1
Privileged Remote Access: Same version ranges as above

Organizations running any of the affected versions should treat this as a priority issue due to the ease of exploitation and potential impact.

What Are the Risks for Enterprises?

For enterprises leveraging BeyondTrust to manage sensitive environments, the CVE-2025-5309 flaw poses multiple threats:

Unauthorized Code Execution: Exploitation could lead to full control over the affected server, enabling lateral movement or data exfiltration.
Unauthenticated Access: Remote Support’s chat module can be reached without prior login, increasing the risk of external scanning and exploitation.
Cloud vs. On-Prem Disparity: While cloud customers have already been patched, on-premise deployments remain vulnerable unless manually updated.

How BeyondTrust RS & PRA Vulnerabilities Were Exploited in 2024

While CVE-2025-5309 is newly disclosed, it comes on the heels of a major security incident involving BeyondTrust products in late 2024. During that event, Chinese state-sponsored attackers exploited two zero-day vulnerabilities – CVE-2024-12356 (command injection) and CVE-2024-12686 (privilege escalation) – in Remote Support and Privileged Remote Access. Using a stolen API key, the attackers gained unauthorized access to systems within the U.S. Treasury Department.

Remediation Strategy: Patching and Risk Reduction

Organizations using BeyondTrust’s affected products should take the following steps to secure their environments:

Verify your current product version
Apply the latest patches immediately
Review chat feature configurations, especially if publicly accessible
Audit access logs for unusual activity if the system was unpatched before June 16, 2025

Patched Versions

BeyondTrust has pushed patches for all supported versions:

Remote Support:
- Patched versions of 24.2.x and 24.3.x (HELP-10826-2 Patch)
- 24.3.4 and newer
Privileged Remote Access:
- Patched builds across 24.2.x, 24.3.x, and 25.1.1 (HELP-10826-1 and -2 Patches)
- 25.1.2 and beyond

Mitigation Steps

For organizations unable to apply patches immediately, the following interim steps are recommended:

For Remote Support:

Enable SAML Authentication on the Public Portal to restrict access.
Enforce Session Key Controls:
- Confirm that session keys are enabled.
- Disable the Representative List and Issue Submission Survey to minimize vectors.

For Privileged Remote Access:

Patch deployment is the only recommended course of action for affected versions.

For further technical details and patch download links, refer to the official advisory from BeyondTrust.

Detect and Prioritize Cyber Risks Faster with SOCRadar

Monitor your digital environment continuously with SOCRadar’s Attack Surface Management (ASM) to identify exposed assets and vulnerabilities before attackers do.

SOCRadar’s Vulnerability Intelligence

Paired with SOCRadar’s Vulnerability Intelligence, part of the Cyber Threat Intelligence module, you receive timely alerts on new vulnerabilities and exploit activity, helping your team prioritize patches and respond promptly to critical issues like CVE-2025-5309.

Why choose SOCRadar? Its key benefits in Vulnerability Management include: