Latest Cyber Security News

You are here: Home / General Cyber Security News / CISA Warns: SysAid Flaws Under Active Attack Enable Remote File Access and SSRF
July 23, 2025

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two security flaws impacting SysAid IT support software to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerabilities in question are listed below –

  • CVE-2025-2775 (CVSS score: 9.3) – An improper restriction of XML external entity (XXE) reference vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives
  • CVE-2025-2776 (CVSS score: 9.3) – An improper restriction of XML external entity (XXE) reference vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives

Both shortcomings were disclosed by watchTowr Labs researchers Sina Kheirkhah and Jake Knott back in May, alongside CVE-2025-2777 (CVSS score: 9.3), a pre-authenticated XXE within the /lshw endpoint.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


Cybersecurity

The three vulnerabilities were addressed by SysAid in the on-premise version 24.4.60 build 16 released in early March 2025.

The cybersecurity firm noted that the vulnerabilities could allow attackers to inject unsafe XML entities into the web application, resulting in a Server-Side Request Forgery (SSRF) attack, and in some cases, remote code execution when chained with CVE-2024-36394, a command injection flaw revealed by CyberArk last June.

It’s currently not known how CVE-2025-2775 and CVE-2025-2776 are being exploited in real-world attacks. Nor is any information available regarding the identity of the threat actors, their end goals, or the scale of these efforts.

To safeguard against the active threat, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by August 12, 2025.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.


Some parts of this article are sourced from:
thehackernews.com

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *