CVE-2025-61873
📋 TL;DR
This CSV injection vulnerability in Best Practical Request Tracker (RT) allows attackers to inject malicious formulas into exported TSV files. When users open these files in spreadsheet applications like Excel, the formulas can execute, potentially leading to data exfiltration or system compromise. Organizations using vulnerable RT versions with TSV export functionality are affected.
💻 Affected Systems
- Best Practical Request Tracker (RT)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary commands on victim systems when users open malicious TSV exports in vulnerable spreadsheet applications, potentially leading to full system compromise.
Likely Case
Attackers could exfiltrate data from victim systems through formula execution in spreadsheet applications, or cause denial of service by corrupting exported data.
If Mitigated
With proper controls like disabling TSV exports or using safe spreadsheet viewing practices, impact is limited to potential data corruption in exports.
🎯 Exploit Status
Exploitation requires access to create or modify tickets with malicious content, then convincing users to export and open TSV files in vulnerable spreadsheet applications.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: RT 4.4.9, 5.0.9, or 6.0.2
Vendor Advisory: https://docs.bestpractical.com/release-notes/rt/index.html
Restart Required: Yes
Instructions:
1. Backup your RT installation and database. 2. Download the patched version from Best Practical. 3. Follow the RT upgrade documentation for your version. 4. Restart RT services after upgrade.
🔧 Temporary Workarounds
Disable TSV Export
allRemove or restrict access to TSV export functionality in RT
# Modify RT configuration to disable TSV exports
# Edit RT_SiteConfig.pm to remove TSV export options
Input Sanitization
allImplement custom input validation to sanitize ticket values
# Add custom validation scrips to sanitize CSV/TSV dangerous characters
# Example: Remove =, +, - and @ from ticket fields
🧯 If You Can't Patch
- Implement strict access controls on who can create/modify tickets
- Train users to never open TSV/CSV exports directly in spreadsheet applications without validation
🔍 How to Verify
Check if Vulnerable:
Check RT version using 'rt-server --version' or examine RT configuration files. Compare against vulnerable versions: <4.4.9, <5.0.9, <6.0.2Check Version:
rt-server --versionVerify Fix Applied:
Verify RT version is 4.4.9, 5.0.9, or 6.0.2 or higher. Test TSV export functionality with malicious payloads to confirm sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual TSV export patterns
- Multiple failed export attempts
- Large volume exports from single users
Network Indicators:
- Abnormal download patterns of TSV files
- External connections triggered by exported files
SIEM Query:
source="rt-logs" AND (event="export" OR event="download") AND file_type="tsv" | stats count by user, src_ip