Exploited Vulnerabilities in SysAid Allow Remote File Access and SSRF Attacks

Published:

spot_img

Jul 23, 2025Ravie LakshmananVulnerability / Software Security

Recent Vulnerabilities Exposed in SysAid IT Support Software

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added two significant security vulnerabilities within SysAid IT support software to its Known Exploited Vulnerabilities (KEV) catalog. This move underscores the urgency of addressing these issues due to active exploitation in the wild.

What Are the Identified Vulnerabilities?

CVE-2025-2775

One of the critical vulnerabilities, labeled as CVE-2025-2775, has a CVSS score of 9.3. It involves an improper restriction of XML external entity (XXE) references, specifically within the Checkin processing functionality. This flaw could potentially allow an attacker to take over administrator accounts and access sensitive files.

CVE-2025-2776

Another major vulnerability, CVE-2025-2776, also scores 9.3 on the CVSS scale. Similar to the first, it pertains to improper restrictions on XML external entity references but is found within the Server URL processing functionality. This vulnerability similarly enables the possibility of administrator account takeovers and unauthorized file reads.

Background of the Vulnerabilities

These vulnerabilities were disclosed by researchers from watchTowr Labs, Sina Kheirkhah and Jake Knott, back in May. They also reported a third vulnerability, CVE-2025-2777, which bears the same high CVSS score of 9.3 and pertains to a pre-authenticated XXE within the /lshw endpoint.

Proposed Solutions From SysAid

In response to these vulnerabilities, SysAid released an update to address the issues in the on-premise version 24.4.60 build 16, which became available in early March 2025. The cybersecurity firm highlighted that the vulnerabilities could enable attackers to inject malicious XML entities into the web application, paving the way for Server-Side Request Forgery (SSRF) attacks. In certain scenarios, these vulnerabilities could lead to remote code execution, especially when coupled with CVE-2024-36394, a command injection flaw uncovered by CyberArk last June.

Understanding the Current Threat Landscape

While the vulnerabilities have been documented, the specifics of how CVE-2025-2775 and CVE-2025-2776 are being exploited in real-world scenarios remain unclear. There is no available information regarding the identities of the threat actors involved, their objectives, or the scale of their attacks.

Timelines for Remediation

To mitigate the risks associated with these active vulnerabilities, the Federal Civilian Executive Branch (FCEB) agencies have been given a deadline to implement necessary patches by August 12, 2025. As these vulnerabilities pose significant risks, timely action is crucial for maintaining robust security in IT environments using SysAid software.

spot_img

Related articles

Recent articles

People, Not Technology, Shape the Future of AI Projects, Asserts NCST Official

People, Not Technology, Shape the Future of AI Projects, Asserts NCST Official Artificial intelligence (AI) has become a focal point in boardrooms across the Middle...

Transforming Risk Management: A Shift Towards Business Alignment

Transforming Risk Management: A Shift Towards Business Alignment In the realm of cybersecurity, the challenge of effectively managing risk is akin to the dilemma faced...

World Leaders Unite to Congratulate Seychelles on 50th Independence Anniversary

World Leaders Unite to Congratulate Seychelles on 50th Independence Anniversary On June 29, 2026, Seychelles marked a significant milestone—the 50th anniversary of its independence. This...

Weekly Cybersecurity Recap: Google Disrupts 2 Million-Device Proxy Botnet, Browser Ransomware Emerges, and AI Agents Face New Threats

Weekly Cybersecurity Recap: Google Disrupts 2 Million-Device Proxy Botnet, Browser Ransomware Emerges, and AI Agents Face New Threats In a week marked by significant...