CVE-2025-69516

Name of the Vulnerable Software and Affected Versions Amidaware Tactical RMM versions prior to 1.3.2

Description A Server-Side Template Injection (SSTI) exists in the /reporting/templates/preview/ endpoint of Amidaware Tactical RMM. The issue stems from insufficient sanitization of the template md parameter, which allows for the injection of Jinja2 templates. This is due to the misuse of the generate html() function, where user-controlled values are inserted into env.from string, a function that processes Jinja2 templates. Successful exploitation allows low-privileged users with Report Viewer or Report Manager permissions to achieve remote command execution on the server.

Recommendations Update Amidaware Tactical RMM to version 1.3.2 or later. As a temporary workaround, restrict access to the /reporting/templates/preview/ endpoint.