关键信息 Advisory ID: BT25-04 CVSSv4 Score: 8.6 Severity: High Issue Date: 2025-06-16 Updated On: 2025-06-16 CVE(s): CVE-2025-5309 CWE: CWE-94 Synopsis: RCE Via Server Side Template Injection Impacted Products: Remote Support and Privileged Remote Access Summary The chat feature within Remote Support (RS) and Privileged Remote Access (PRA) is vulnerable to a Server Side Template Injection vulnerability which can lead to remote code execution. Details Remote Support and Privileged Remote Access components do not properly escape input intended for the template engine, leading to a potential template injection vulnerability. This flaw may allow an attacker to execute arbitrary code in the context of the server. Notably, in the case of Remote Support, exploitation does not require authentication. Mitigation A patch has been applied to all RS/PRA cloud customers as of June 16, 2025 that remediates this vulnerability. On-premise customers of RS/PRA should apply the patch if their instance is not subscribed to automatic updates in their appliance interface. Affected Versions Fixed Versions References https://www.cve.org/cverecord?id=CVE-2025-5309 https://nvd.nist.gov/vuln/detail/CVE-2025-5309 Acknowledgements We would like to thank Jorren Geurts of Reaillon for reporting this vulnerability responsibly.