Description
This module exploits a Server-Side Template Injection (SSTI) vulnerability in Tactical RMM versions prior to 1.4.0 (CVE-2025-69516).
The reporting template preview endpoint passes user-controlled Jinja2 template content to Environment.from_string() without sandboxing, allowing arbitrary Python code execution on the server.
Valid credentials are required. The module authenticates to obtain a Knox API token, then delivers a Jinja2 SSTI payload through the template preview functionality to achieve OS command execution.
The vulnerability was silently patched in version 1.4.0 by switching from jinja2.Environment to jinja2.sandbox.SandboxedEnvironment.
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/linux/http/tacticalrmm_ssti_rce_cve_2025_69516msf undefined(tacticalrmm_ssti_rce_cve_2025_69516) > show actions ...actions...msf undefined(tacticalrmm_ssti_rce_cve_2025_69516) > set ACTION < action-name >msf undefined(tacticalrmm_ssti_rce_cve_2025_69516) > show options ...show and set options...msf undefined(tacticalrmm_ssti_rce_cve_2025_69516) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub