Cyber Posture

CVE-2025-69516

High

Published: 29 January 2026

Published
29 January 2026
Modified
13 February 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5235 97.9th percentile
Risk Priority 49 60% EPSS · 20% KEV · 20% CVSS

Description

A Server-Side Template Injection (SSTI) vulnerability in the /reporting/templates/preview/ endpoint of Amidaware Tactical RMM, affecting versions equal to or earlier than v1.3.1, allows low-privileged users with Report Viewer or Report Manager permissions to achieve remote command execution on the server.…

more

This occurs due to improper sanitization of the template_md parameter, enabling direct injection of Jinja2 templates. This occurs due to misuse of the generate_html() function, the user-controlled value is inserted into `env.from_string`, a function that processes Jinja2 templates arbitrarily, making an SSTI possible.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 directly mitigates SSTI by requiring validation and sanitization of user-controlled inputs like the template_md parameter before processing in Jinja2 env.from_string.

SI-2 Flaw Remediation good match
prevent

SI-2 ensures timely identification, reporting, and patching of flaws like this SSTI vulnerability in Tactical RMM versions <= v1.3.1.

RA-5 Vulnerability Monitoring and Scanning good match
prevent

RA-5 requires vulnerability scanning to detect and remediate SSTI issues such as CVE-2025-69516 in the /reporting/templates/preview/ endpoint.

Security SummaryAI

CVE-2025-69516 is a Server-Side Template Injection (SSTI) vulnerability in the /reporting/templates/preview/ endpoint of Amidaware Tactical RMM, affecting versions equal to or earlier than v1.3.1. The issue stems from improper sanitization of the user-controlled template_md parameter, which enables direct injection of Jinja2 templates. This occurs due to misuse of the generate_html() function, where the parameter is inserted into env.from_string, a function that processes Jinja2 templates arbitrarily, leading to SSTI and potential remote command execution (CWE-1336).

Low-privileged users with Report Viewer or Report Manager permissions can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants attackers high-impact remote command execution on the server, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Advisories and mitigation details can be found in the referenced sources, including a GitHub Gist detailing the vulnerability at https://gist.github.com/NtGabrielGomes/7c424367cc316fd7527f668ff076fece, the Tactical RMM GitHub repository at https://github.com/amidaware/tacticalrmm, and the vendor site at https://www.amidaware.com/. Security practitioners should consult these for patch information and remediation steps.

Details

CWE(s)
CWE-1336

Affected Products

amidaware
tactical rmm
≤ 1.4.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

SSTI vulnerability in a network-accessible web endpoint enables remote exploitation of a public-facing application (T1190) by low-privileged users to achieve high-impact RCE, facilitating privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References