EUVD-2025-18420

| CVE-2025-5309 CRITICAL
2025-06-16 13061848-ea10-403d-bd75-c83a022c2891
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 21:59 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 21:59 euvd
EUVD-2025-18420
CVE Published
Jun 16, 2025 - 17:15 nvd
CRITICAL 9.8

Tags

RCE Code Injection Remote Support Privileged Remote Access

Description

The chat feature within Remote Support (RS) and Privileged Remote Access (PRA) is vulnerable to a Server-Side Template Injection vulnerability which can lead to remote code execution.

Analysis

Server-Side Template Injection (SSTI) vulnerability in the chat feature of Citrix Remote Support (RS) and Privileged Remote Access (PRA) that enables unauthenticated remote code execution with a critical CVSS score of 9.8. The vulnerability affects the chat messaging functionality across both products with no authentication or user interaction required, allowing attackers to execute arbitrary code on affected systems. This is a critical severity issue requiring immediate patching.

Technical Context

The vulnerability exists in the chat feature's template processing mechanism, specifically where user-supplied input is passed directly to a server-side template engine without proper sanitization or validation. This falls under CWE-94 (Improper Control of Generation of Code). Template injection vulnerabilities occur when an application uses a templating engine (such as Jinja2, Velocity, FreeMarker, or similar) to render user-controlled data without escaping or sandboxing. In this case, attackers can inject malicious template syntax (e.g., {{7*7}}, ${system.exec()}, or similar expressions depending on the template engine) through chat messages, which are then evaluated server-side, leading to arbitrary code execution. The vulnerability is network-accessible (AV:N) with low attack complexity (AC:L) and requires no privileges (PR:N), making it trivially exploitable.

Affected Products

Citrix Remote Support (RS) and Citrix Privileged Remote Access (PRA) - specific affected versions must be confirmed from vendor advisories. Typical CPE patterns would be: cpe:2.3:a:citrix:remote_support:*:*:*:*:*:*:*:* and cpe:2.3:a:citrix:privileged_remote_access:*:*:*:*:*:*:*:*. The chat feature component across both products is universally affected unless patched. Organizations running any version prior to the security update release should be considered at risk. Check Citrix security advisory CTX (reference number to be obtained from vendor) for exact version boundaries.

Remediation

1. Apply the latest security patch released by Citrix for both Remote Support and Privileged Remote Access products immediately. 2. If immediate patching is not possible, disable or restrict access to the chat feature at the network level using firewall rules or WAF policies until patched. 3. Implement network segmentation to limit exposure of RS/PRA instances to trusted networks only. 4. Monitor for exploitation attempts by checking chat message logs for template injection payloads (e.g., suspicious ${}, {{}}, <%, or expression syntax in chat messages). 5. Review access logs for unusual chat API endpoint requests. 6. Consider disabling the chat feature entirely in non-critical deployments pending patch deployment. Patch version information and detailed vendor advisories should be obtained directly from Citrix Security Advisory (CSA) bulletin corresponding to this CVE.

Priority Score

50
Low Medium High Critical
KEV: 0
EPSS: +0.5
CVSS: +49
POC: 0

Share

EUVD-2025-18420 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy