CVE-2025-69516
BaseFortify
Publication date: 2026-01-29
Last updated on: 2026-02-13
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amidaware | tactical_rmm | to 1.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-69516 is a Server-Side Template Injection (SSTI) vulnerability in Amidaware Tactical RMM versions 1.3.1 and earlier. It occurs in the /reporting/templates/preview/ endpoint due to improper sanitization of the template_md parameter. This allows low-privileged users with Report Viewer or Report Manager permissions to inject arbitrary Jinja2 templates, leading to remote command execution on the server. The vulnerability arises from misuse of the generate_html() function, where user input is directly processed by env.from_string, enabling SSTI. [2]
How can this vulnerability impact me? :
This vulnerability allows low-privileged authenticated users to execute arbitrary commands remotely on the server hosting Tactical RMM. This can lead to full system compromise, unauthorized access, data theft, disruption of services, and potential lateral movement within the network. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this SSTI vulnerability involves identifying attempts to inject Jinja2 template syntax into the /reporting/templates/preview/ endpoint, specifically targeting the template_md parameter. Monitoring web server logs for suspicious payloads containing Jinja2 delimiters such as '{{', '{%', or '{#' in requests to this endpoint can help detect exploitation attempts. Additionally, authenticated user activity logs for Report Viewer or Report Manager roles should be reviewed for unusual or unexpected requests. There are no specific commands provided in the resources, but using tools like curl or Burp Suite to send crafted requests with Jinja2 template payloads to the vulnerable endpoint can help verify if the system is vulnerable. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Amidaware Tactical RMM to version 1.4.0 or later, where this vulnerability has been fixed. Restricting Report Viewer and Report Manager permissions to trusted users and monitoring for suspicious activity can also help reduce risk until the upgrade is applied. [2, 1]