Cybersecurity researchers have disclosed multiple security flaw in the on-premise version of SysAid IT support software that could be exploited to achieve pre-authenticated remote code execution with elevated privileges.
The vulnerabilities, tracked as CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777, have all been described as XML External Entity (XXE) injections, which occur when an attacker is able to successfully interfere with an application’s parsing of XML input.
This, in turn, could permit attackers to inject unsafe XML entities into the web application, allowing them to carry out a Server-Side Request Forgery (SSRF) attack and in worst cases, remote code execution.
A description of the three vulnerabilities, according to watchTowr Labs researchers Sina Kheirkhah and Jake Knott, is as follows –
CVE-2025-2775 and CVE-2025-2776 – A pre-authenticated XXE within the /mdm/checkin endpoint
CVE-2025-2777 – A pre-authenticated XXE within the /lshw endpoint
watchTowr Labs described the vulnerabilities as trivial to exploit by means of a specially crafted HTTP POST request to the endpoints in question.
Successful exploitation of the flaws could enable an attacker to retrieve local files containing sensitive information, including SysAid’s own “InitAccount.cmd” file, which contains information about the administrator account username and plaintext password created during installation.
Armed with this information, the attacker could then gain full administrative access to SysAid as an administrator-privileged user.
To make matters worse, the XXE flaws could be chained with another operating system command injection vulnerability – discovered by a third-party – to achieve remote code execution. The command injection issue has been assigned the CVE identifier CVE-2025-2778.
All four vulnerabilities have been rectified by SysAid with the release of on-premise version 24.4.60 in early March 2025. A proof-of-concept (PoC) exploit combining the four vulnerabilities has been made available.
With security flaws in SysAid (CVE-2023-47246) previously exploited by ransomware actors like Cl0p in zero-day attacks, it’s imperative that users update their instances to the latest version.
