Recent Vulnerabilities Exposed in SysAid IT Support Software
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added two significant security vulnerabilities within SysAid IT support software to its Known Exploited Vulnerabilities (KEV) catalog. This move underscores the urgency of addressing these issues due to active exploitation in the wild.
What Are the Identified Vulnerabilities?
CVE-2025-2775
One of the critical vulnerabilities, labeled as CVE-2025-2775, has a CVSS score of 9.3. It involves an improper restriction of XML external entity (XXE) references, specifically within the Checkin processing functionality. This flaw could potentially allow an attacker to take over administrator accounts and access sensitive files.
CVE-2025-2776
Another major vulnerability, CVE-2025-2776, also scores 9.3 on the CVSS scale. Similar to the first, it pertains to improper restrictions on XML external entity references but is found within the Server URL processing functionality. This vulnerability similarly enables the possibility of administrator account takeovers and unauthorized file reads.
Background of the Vulnerabilities
These vulnerabilities were disclosed by researchers from watchTowr Labs, Sina Kheirkhah and Jake Knott, back in May. They also reported a third vulnerability, CVE-2025-2777, which bears the same high CVSS score of 9.3 and pertains to a pre-authenticated XXE within the /lshw endpoint.
Proposed Solutions From SysAid
In response to these vulnerabilities, SysAid released an update to address the issues in the on-premise version 24.4.60 build 16, which became available in early March 2025. The cybersecurity firm highlighted that the vulnerabilities could enable attackers to inject malicious XML entities into the web application, paving the way for Server-Side Request Forgery (SSRF) attacks. In certain scenarios, these vulnerabilities could lead to remote code execution, especially when coupled with CVE-2024-36394, a command injection flaw uncovered by CyberArk last June.
Understanding the Current Threat Landscape
While the vulnerabilities have been documented, the specifics of how CVE-2025-2775 and CVE-2025-2776 are being exploited in real-world scenarios remain unclear. There is no available information regarding the identities of the threat actors involved, their objectives, or the scale of their attacks.
Timelines for Remediation
To mitigate the risks associated with these active vulnerabilities, the Federal Civilian Executive Branch (FCEB) agencies have been given a deadline to implement necessary patches by August 12, 2025. As these vulnerabilities pose significant risks, timely action is crucial for maintaining robust security in IT environments using SysAid software.
