CVE-2025-69516

CVSS 8.8 HIGHEPSS 2.1%CWE-1336

In short

A flaw in Amidaware Tactical RMM's reporting preview feature allows users with report permissions to inject malicious code that runs on the server. This happens because user input isn't properly checked before being processed as a template, giving attackers the ability to execute commands.

Technical detail

Server-Side Template Injection (SSTI) in the /reporting/templates/preview/ endpoint via unsanitized template_md parameter, exploitable by authenticated users with Report Viewer or Report Manager roles. The vulnerability stems from direct passage of user input to Jinja2's env.from_string() function without sanitization, enabling arbitrary template processing and remote command execution on the affected server.

Summary generated and translated by AI from the official description.

A Server-Side Template Injection (SSTI) vulnerability in the /reporting/templates/preview/ endpoint of Amidaware Tactical RMM, affecting versions equal to or earlier than v1.3.1, allows low-privileged users with Report Viewer or Report Manager permissions to achieve remote command execution on the server. This occurs due to improper sanitization of the template_md parameter, enabling direct injection of Jinja2 templates. This occurs due to misuse of the generate_html() function, the user-controlled value is inserted into `env.from_string`, a function that processes Jinja2 templates arbitrarily, making an SSTI possible.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://gist.github.com/NtGabrielGomes/7c424367cc316fd7527f668ff076fece https://github.com/amidaware/tacticalrmm https://www.amidaware.com/