CVE-2025-61873 in Request Tracker
Summary
by MITRE • 01/16/2026
Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/16/2026
The Best Practical Request Tracker (RT) vulnerability CVE-2025-61873 represents a critical security flaw in versions prior to 4.4.9, 5.0.9, and 6.0.2 that enables CSV injection attacks through ticket values during TSV export operations. This vulnerability falls under the CWE-1235 category of Improper Neutralization of Special Elements used in a Command, specifically targeting the handling of user-supplied data in export functionality. The flaw occurs when users can manipulate ticket values to include malicious formulas that execute when the exported data is opened in spreadsheet applications like Microsoft Excel or Google Sheets, creating a vector for arbitrary code execution and data exfiltration.
The technical implementation of this vulnerability exploits the lack of proper input sanitization during the TSV (Tab-Separated Values) export process within RT's ticket management system. When users create or modify ticket values containing specific malicious prefixes such as equals signs, plus signs, or other spreadsheet formula indicators, these values are directly embedded into the exported data without proper escaping or encoding. This allows attackers to craft ticket content that, when opened in spreadsheet applications, executes unintended commands or macros, potentially leading to full system compromise or unauthorized data access.
The operational impact of this vulnerability extends beyond simple data manipulation, creating significant risks for organizations relying on RT for ticket management and incident response. Attackers can leverage this flaw to inject malicious formulas that perform actions such as opening web pages, downloading additional malware, or accessing sensitive network resources. The vulnerability is particularly dangerous in environments where RT is used for security incident tracking, as attackers could exploit it to manipulate or corrupt security-related ticket data, potentially hiding malicious activities or disrupting security operations. This represents a direct threat to data integrity and system confidentiality.
Organizations should immediately implement mitigations including upgrading to RT versions 4.4.9, 5.0.9, or 6.0.2 where this vulnerability has been addressed. Additional protective measures include implementing strict input validation for ticket values, particularly those that may be exported, and configuring spreadsheet applications to disable automatic formula execution when opening files from untrusted sources. Network segmentation and access controls should be enforced to limit exposure, while security monitoring should be enhanced to detect unusual export activities or suspicious ticket modifications. The ATT&CK framework categorizes this vulnerability under T1059.001 (Command and Scripting Interpreter: PowerShell) and T1078.004 (Valid Accounts: Cloud Accounts) as it enables attackers to escalate privileges and maintain access through spreadsheet-based attack vectors, making it a significant concern for enterprise security postures and compliance requirements.