BeyondTrust has issued urgent security updates to address a severe vulnerability in its Remote Support (RS) and Privileged Remote Access (PRA) solutions, which can allow uninvited attackers to execute code remotely on vulnerable servers.

The Remote Support tool is designed for enterprise-level IT teams, enabling them to troubleshoot issues by connecting to systems from anywhere. Meanwhile, the Privileged Remote Access solution serves as a secure gateway, ensuring that users only connect to the systems they are authorized to access.

Designated as CVE-2025-5309, this Server-Side Template Injection vulnerability was identified by security expert Jorren Geurts from Resillion within the chat feature of BeyondTrust’s RS/PRA.

BeyondTrust reported in an advisory that, "Remote Support and Privileged Remote Access components fail to adequately escape user input for the template engine, resulting in a potential template injection flaw that could allow attackers to run arbitrary code on the server. Importantly, exploiting this vulnerability does not require prior user authentication."

The company has already patched all RS/PRA cloud systems as of June 16, 2025, and it urges on-premises users to manually apply updates if they haven't activated automatic updates.

However, for administrators who cannot implement the security patches immediately, BeyondTrust recommends enabling SAML authentication for the Public Portal and enforcing session keys by disabling certain features.

The patched software versions include Remote Support 24.2.2 to 24.2.4 and 24.3.1 to 24.3.3, among others, along with additional patches for Privileged Remote Access.

While BeyondTrust has not reported any current exploitation of this flaw, previous vulnerabilities in its RS/PRA solutions have been exploited in attacks over recent years.

In a shocking revelation, the company announced in December that its systems had been breached using two zero-day vulnerabilities and that sensitive information—including an API key—was stolen, compromising 17 Remote Support SaaS instances.

This incident led to security breaches in U.S. government networks, allegedly connected to a Chinese hacking group known as Silk Typhoon.

Silk Typhoon reportedly accessed BeyondTrust's instances to exfiltrate unclassified information related to U.S. sanctions, impacting national security.

In response to these threats, CISA added one of the identified vulnerabilities to its Known Exploited Vulnerabilities catalog, mandating that federal agencies secure their networks swiftly.

BeyondTrust serves over 20,000 clients worldwide, including 75% of Fortune 100 companies, which emphasizes the critical need for immediate attention to these vulnerabilities.