BeyondTrust has issued urgent updates to patch a high-severity remote code execution (RCE) vulnerability in its Remote Support (RS) and Privileged Remote Access (PRA) products. If left unpatched, the flaw—tracked as CVE-2025-5309—can allow unauthenticated attackers to execute arbitrary code on vulnerable servers.
The issue was discovered by Jorren Geurts of Resillion and lies in the chat feature of RS and PRA. According to BeyondTrust, the flaw is rooted in a server-side template injection due to insufficient input sanitization.
“Remote Support and Privileged Remote Access components do not properly escape input intended for the template engine, leading to a potential template injection vulnerability,” BeyondTrust stated in its advisory.
Exploitation Requires No Authentication
One of the most alarming aspects of CVE-2025-5309 is that it does not require prior authentication in Remote Support systems. This drastically increases the risk, especially for any internet-facing deployments.
“This flaw may allow an attacker to execute arbitrary code in the context of the server,” BeyondTrust confirmed. “Notably, in the case of Remote Support, exploitation does not require authentication.”
Patch Status of RCE Flaw and Workarounds
BeyondTrust patched all cloud-hosted RS/PRA environments by June 16, 2025. For on-premises installations, organizations are advised to manually apply the patch if automatic updates are not enabled.
Administrators who cannot apply the update immediately can reduce risk by:
- Enabling SAML authentication on the Public Portal.
- Disabling the Representative List and Issue Submission Survey features.
- Enforcing the use of session keys to restrict access.
No In-the-Wild Exploitation Yet—but History Says Otherwise
While CVE-2025-5309 has not yet been exploited in the wild, BeyondTrust has been a target before. In December 2024, the company disclosed a breach involving:
- Two zero-day flaws in RS/PRA: CVE-2024-12356 and CVE-2024-12686
- A PostgreSQL zero-day: CVE-2025-1094
- An API key theft that led to the compromise of 17 SaaS instances
| Attribute | Details |
|---|---|
| Vulnerability ID | CVE-2025-5309 |
| Product Affected | BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) |
| Vulnerability Type | Server-Side Template Injection (SSTI) |
| Severity | High |
| Authentication Needed | None (Pre-auth RCE possible) |
| Date Patched | June 16, 2025 (Cloud) / Manual patch for On-Prem |
| Discovered By | Jorren Geurts (Resillion) |
| Mitigation Options | Enable SAML, disable Representative List/Surveys, enforce session keys |
| Exploited in Wild? | Not confirmed, but prior RS/PRA flaws were targeted |
| Notable Incidents | Treasury Dept. breach linked to older RS/PRA zero-days |
U.S. Treasury Breach and Silk Typhoon Connection
One month later, the U.S. Treasury Department confirmed a cyber intrusion tied to these same vulnerabilities. The threat actor behind the attack was identified as Silk Typhoon, a Chinese state-sponsored group. The adversaries reportedly gained access to sensitive files from the Office of Foreign Assets Control (OFAC) and the Committee on Foreign Investment in the United States (CFIUS).
This incident prompted the Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2024-12356 to its Known Exploited Vulnerabilities (KEV) catalog, mandating U.S. federal agencies to remediate the flaw by January 13.
A High-Value Target
BeyondTrust’s solutions are widely used in enterprise environments, with over 20,000 customers across 100+ countries, including 75% of the Fortune 100. This makes any vulnerability in its platform a high-value opportunity for advanced persistent threat (APT) groups and ransomware operators alike.
