Security Alert: BeyondTrust Remote Products Vulnerable to Exploitation

BeyondTrust disclosed on June 16, 2025, that the chat feature within its Remote Support (RS) and Privileged Remote Access (PRA) products is vulnerable to a server-side template injection vulnerability, which can lead to remote code execution (RCE).

By leveraging the high-severity vulnerability, CVE-2025-5309 (CVSS 8.6), an attacker can execute arbitrary code in the context of the server. For RS, exploitation does not require authentication. 

BeyondTrust has released a patch and advised on-premises customers to manually apply the patch if auto updates aren’t already enabled. 

What's the concern?

RS is an enterprise technology that helps IT teams troubleshoot by remotely connecting to systems and devices. PRA is a secure gateway that ensures users can only access specific systems and resources that they’ve been authorized to use. By exploiting the vulnerability in RS and PRA, attackers can execute remote code by sending specially crafted requests.

BeyondTrust has released a patch and advised on-premises customers to manually apply the patch if auto updates aren’t already enabled. 

Who's at risk?

Coalition has seen a rise in attacks on technologies that enable remote access. For example, Coalition policyholders using internet-exposed remote desktop protocol were 2.5 times more likely to experience a claim.

For this specific BeyondTrust vulnerability, the most impacted Coalition policyholders were larger businesses with over 1,000 employees (30%). The most impacted industry sector was healthcare-related businesses (26%), including healthcare providers, healthcare technology, and pharmaceutical companies.

Coalition policyholders using internet-exposed remote desktop protocol were 2.5 times more likely to experience a claim.

BeyondTrust has not identified if the vulnerability has been exploited in the wild yet. 

How businesses can address this vulnerability

The affected versions are:

• Remote Support: 24.2.2 to 24.2.4, 24.3.1 to 24.3.3, and 25.1.1

• Privileged Remote Access: 24.2.2 to 24.2.4, 24.3.1 to 24.3.3, and 25.1.1

On-premises customers should apply the patch if their instance is not subscribed to automatic updates in their appliance interface.

If the patch cannot be applied, the following options for the Public Site can help mitigate exploitation of this vulnerability:

• Enable SAML authentication for the Public Portal

• Enforce session key usage by:

• Ensuring Session Keys are enabled

• Disabling the Representative List

• Disabling the Issue Submission Survey

How Coalition is responding

On June 18, we proactively notified impacted policyholders about this vulnerability through Coalition Control®, our unified cyber risk management platform. Coalition is committed to quickly and efficiently notifying our customers of any vulnerabilities within their networks. 

For any questions or assistance with mitigation, please contact the Coalition Security Support Center at securitysupport@coalitioninc.com. 

This blog post is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over nor assumes responsibility or liability for the content, privacy policy or practices of any such third-party websites.