Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
The chat feature within Remote Support (RS) and Privileged Remote Access (PRA) is vulnerable to a Server-Side Template Injection vulnerability which can lead to remote code execution.
AnalysisAI
Server-Side Template Injection (SSTI) vulnerability in the chat feature of Citrix Remote Support (RS) and Privileged Remote Access (PRA) that enables unauthenticated remote code execution with a critical CVSS score of 9.8. The vulnerability affects the chat messaging functionality across both products with no authentication or user interaction required, allowing attackers to execute arbitrary code on affected systems. This is a critical severity issue requiring immediate patching.
Technical ContextAI
The vulnerability exists in the chat feature's template processing mechanism, specifically where user-supplied input is passed directly to a server-side template engine without proper sanitization or validation. This falls under CWE-94 (Improper Control of Generation of Code). Template injection vulnerabilities occur when an application uses a templating engine (such as Jinja2, Velocity, FreeMarker, or similar) to render user-controlled data without escaping or sandboxing. In this case, attackers can inject malicious template syntax (e.g., {{7*7}}, ${system.exec()}, or similar expressions depending on the template engine) through chat messages, which are then evaluated server-side, leading to arbitrary code execution. The vulnerability is network-accessible (AV:N) with low attack complexity (AC:L) and requires no privileges (PR:N), making it trivially exploitable.
RemediationAI
- Apply the latest security patch released by Citrix for both Remote Support and Privileged Remote Access products immediately. 2. If immediate patching is not possible, disable or restrict access to the chat feature at the network level using firewall rules or WAF policies until patched. 3. Implement network segmentation to limit exposure of RS/PRA instances to trusted networks only. 4. Monitor for exploitation attempts by checking chat message logs for template injection payloads (e.g., suspicious ${}, {{}}, <%, or expression syntax in chat messages). 5. Review access logs for unusual chat API endpoint requests. 6. Consider disabling the chat feature entirely in non-critical deployments pending patch deployment. Patch version information and detailed vendor advisories should be obtained directly from Citrix Security Advisory (CSA) bulletin corresponding to this CVE.
More in Remote Support
View allBeyondTrust Remote Support (RS) and older versions of Privileged Remote Access (PRA) contain a critical pre-authenticati
Bomgar Remote Support before 15.1.1 allows remote attackers to execute arbitrary PHP code via crafted serialized data to
A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which ca
BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) versions 23.2.1 and 23.2.2 contain a command injectio
Authentication bypass in BeyondTrust Remote Support (and the related Privileged Remote Access product) lets an unauthent
Pre-authentication access-control bypass in BeyondTrust Remote Support and Privileged Remote Access appliances lets a ne
Denial-of-service in BeyondTrust Remote Support and Privileged Remote Access appliances lets an unauthenticated remote a
Improper data-query neutralization (NoSQL injection) in the web application component of BeyondTrust Remote Support and
The agent in Bomgar Remote Support 15.2.x before 15.2.3, 16.1.x before 16.1.5, and 16.2.x before 16.2.4 allows DLL hijac
A vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) which can allow an attacke
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18420