CVE-2025-69516
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-29

Last updated on: 2026-02-13

Assigner: MITRE

Description
A Server-Side Template Injection (SSTI) vulnerability in the /reporting/templates/preview/ endpoint of Amidaware Tactical RMM, affecting versions equal to or earlier than v1.3.1, allows low-privileged users with Report Viewer or Report Manager permissions to achieve remote command execution on the server. This occurs due to improper sanitization of the template_md parameter, enabling direct injection of Jinja2 templates. This occurs due to misuse of the generate_html() function, the user-controlled value is inserted into `env.from_string`, a function that processes Jinja2 templates arbitrarily, making an SSTI possible.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-29
Last Modified
2026-02-13
Generated
2026-06-16
AI Q&A
2026-01-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-69516
EUVD
EUVD-2025-206512
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
amidaware tactical_rmm to 1.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-69516 is a Server-Side Template Injection (SSTI) vulnerability in Amidaware Tactical RMM versions 1.3.1 and earlier. It occurs in the /reporting/templates/preview/ endpoint due to improper sanitization of the template_md parameter. This allows low-privileged users with Report Viewer or Report Manager permissions to inject arbitrary Jinja2 templates, leading to remote command execution on the server. The vulnerability arises from misuse of the generate_html() function, where user input is directly processed by env.from_string, enabling SSTI. [2]

Impact Analysis

This vulnerability allows low-privileged authenticated users to execute arbitrary commands remotely on the server hosting Tactical RMM. This can lead to full system compromise, unauthorized access, data theft, disruption of services, and potential lateral movement within the network. [2]

Detection Guidance

Detection of this SSTI vulnerability involves identifying attempts to inject Jinja2 template syntax into the /reporting/templates/preview/ endpoint, specifically targeting the template_md parameter. Monitoring web server logs for suspicious payloads containing Jinja2 delimiters such as '{{', '{%', or '{#' in requests to this endpoint can help detect exploitation attempts. Additionally, authenticated user activity logs for Report Viewer or Report Manager roles should be reviewed for unusual or unexpected requests. There are no specific commands provided in the resources, but using tools like curl or Burp Suite to send crafted requests with Jinja2 template payloads to the vulnerable endpoint can help verify if the system is vulnerable. [2]

Mitigation Strategies

The immediate mitigation step is to upgrade Amidaware Tactical RMM to version 1.4.0 or later, where this vulnerability has been fixed. Restricting Report Viewer and Report Manager permissions to trusted users and monitoring for suspicious activity can also help reduce risk until the upgrade is applied. [2, 1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69516. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart