CVE-2025-61873 is a vulnerability in Best Practical Request Tracker (RT), a widely used issue tracking and ticketing system. The vulnerability specifically affects versions before 4.4.9, 5.0.9, and 6.0.2. It involves CSV Injection (also known as Formula Injection) via ticket values when users export ticket data using the TSV export functionality. CSV Injection occurs when untrusted input is embedded in CSV or TSV files without proper sanitization, allowing spreadsheet applications like Microsoft Excel or LibreOffice Calc to interpret certain cell contents as formulas. An attacker can craft ticket values containing malicious formulas or commands that execute when the exported file is opened by a user. This can lead to arbitrary code execution, data exfiltration, or manipulation within the victim's environment. The vulnerability does not require authentication to be exploited if the export feature is publicly accessible or if an attacker can influence ticket content. However, exploitation requires user interaction to open the malicious file in a spreadsheet application. No public exploits have been reported yet, and no CVSS score has been assigned. The vulnerability was reserved in October 2025 and published in January 2026. The lack of patch links suggests users should upgrade to the fixed versions mentioned or apply vendor-recommended mitigations. The threat is particularly relevant for organizations that frequently export ticket data for analysis or reporting, as this increases exposure to malicious payloads embedded in exported files.

For European organizations, the impact of CVE-2025-61873 can be significant in environments where RT is used extensively for IT service management, customer support, or internal issue tracking. Successful exploitation could lead to execution of arbitrary commands on the client side when exported TSV files are opened, potentially compromising user machines or leaking sensitive data. This could undermine the confidentiality and integrity of organizational data and disrupt operations if malicious payloads execute destructive commands. The vulnerability also increases the risk of social engineering attacks, as attackers might trick users into opening malicious exports. While the vulnerability does not directly affect server availability, the downstream impact on client systems and data integrity can be severe. European organizations handling sensitive or regulated data (e.g., GDPR-regulated personal data) face compliance risks if such an attack leads to data breaches. The absence of known exploits provides a window for proactive mitigation, but the widespread use of RT in Europe means many organizations could be exposed if patches are not applied promptly.

1. Upgrade RT installations to versions 4.4.9, 5.0.9, or 6.0.2 or later, where the vulnerability is fixed. 2. Implement input validation and sanitization on ticket fields to neutralize characters that can trigger formula execution in spreadsheet applications (e.g., prefixing cells with a single quote or removing leading '=', '+', '-', '@'). 3. Educate users to be cautious when opening exported TSV or CSV files from untrusted or internal sources, especially those containing ticket data. 4. Restrict access to the TSV export functionality to authorized users only, minimizing exposure to untrusted inputs. 5. Consider disabling TSV export if not required or replacing it with safer export formats that do not interpret formulas. 6. Monitor logs and ticket content for suspicious entries that may indicate attempts to inject malicious payloads. 7. Use endpoint protection solutions that can detect and block malicious macro or formula execution in spreadsheet applications. 8. Establish policies for secure handling and scanning of exported files before opening.