CVE-2025-69516 – A Server-Side Template Injection vulnerability ... (How to Fix)

Q: What is the severity of CVE-2025-69516?

CVE-2025-69516 has a CVSS score of 8.8 (HIGH). A Server-Side Template Injection vulnerability in Amidaware Tactical RMM allows low-privileged users with Report Viewer or Report Manager permissions to execute arbitrary commands on the server. This affects versions v1.3.1 and earlier due to improper sanitization of the template_md parameter in the /reporting/templates/preview/ endpoint.

📋 TL;DR

A Server-Side Template Injection vulnerability in Amidaware Tactical RMM allows low-privileged users with Report Viewer or Report Manager permissions to execute arbitrary commands on the server. This affects versions v1.3.1 and earlier due to improper sanitization of the template_md parameter in the /reporting/templates/preview/ endpoint.

💻 Affected Systems

Products:

Amidaware Tactical RMM

Versions: v1.3.1 and earlier

Operating Systems: Linux, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments with Report Viewer or Report Manager users

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data theft, lateral movement, and persistent backdoor installation

🟠

Likely Case

Unauthorized command execution, data exfiltration, and privilege escalation

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege are enforced

🌐 Internet-Facing: HIGH - If the RMM interface is exposed to the internet, attackers can exploit it remotely

🏢 Internal Only: HIGH - Even internal attackers with low privileges can achieve RCE

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated access with Report Viewer or Report Manager permissions

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.3.2 or later

Vendor Advisory: https://github.com/amidaware/tacticalrmm

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Update to v1.3.2 or later from the official repository. 3. Restart the Tactical RMM service. 4. Verify the patch is applied.

🔧 Temporary Workarounds

Disable vulnerable endpoint

all

Temporarily disable or restrict access to the /reporting/templates/preview/ endpoint

# Configure web server to block access to the endpoint
# Example for nginx: location /reporting/templates/preview/ { deny all; }

Restrict user permissions

all

Remove Report Viewer and Report Manager permissions from non-essential users

# Use Tactical RMM admin interface to modify user permissions

🧯 If You Can't Patch

Implement strict network segmentation to isolate the RMM server
Enforce least privilege by removing Report Viewer/Manager permissions from all non-essential users

🔍 How to Verify

Check if Vulnerable:

Check Tactical RMM version via admin interface or by examining the deployment. Versions ≤1.3.1 are vulnerable.

Check Version:

Check Tactical RMM web interface or deployment configuration files for version number

Verify Fix Applied:

Confirm version is ≥1.3.2 and test the /reporting/templates/preview/ endpoint with known SSTI payloads (in a safe environment).

📡 Detection & Monitoring

Log Indicators:

Unusual requests to /reporting/templates/preview/ with Jinja2 template syntax
Suspicious command execution patterns in system logs

Network Indicators:

HTTP POST requests to the vulnerable endpoint containing template injection patterns

SIEM Query:

source="tacticalrmm" AND uri_path="/reporting/templates/preview/" AND (request_body CONTAINS "{{" OR request_body CONTAINS "}}")

📊 Metadata

CVE ID: CVE-2025-69516

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1336

Published: January 29, 2026

Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-69516, you might also want to check these: