Cybersecurity researchers have disclosed multiple security flaw in the on-premise version of SysAid IT support software that could be exploited to achieve pre-authenticated remote code execution with elevated privileges.
The vulnerabilities, tracked as CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777, have all been described as XML External Entity (XXE) injections, which occur when an attacker is able to successfully interfere with an application’s parsing of XML input.
This, in turn, could permit attackers to inject unsafe XML entities into the web application, allowing them to carry out a Server-Side Request Forgery (SSRF) attack and in worst cases, remote code execution.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
A description of the three vulnerabilities, according to watchTowr Labs researchers Sina Kheirkhah and Jake Knott, is as follows –
- CVE-2025-2775 and CVE-2025-2776 – A pre-authenticated XXE within the /mdm/checkin endpoint
- CVE-2025-2777 – A pre-authenticated XXE within the /lshw endpoint
watchTowr Labs described the vulnerabilities as trivial to exploit by means of a specially crafted HTTP POST request to the endpoints in question.
Successful exploitation of the flaws could enable an attacker to retrieve local files containing sensitive information, including SysAid’s own “InitAccount.cmd” file, which contains information about the administrator account username and plaintext password created during installation.
Armed with this information, the attacker could then gain full administrative access to SysAid as an administrator-privileged user.
To make matters worse, the XXE flaws could be chained with another operating system command injection vulnerability – discovered by a third-party – to achieve remote code execution. The command injection issue has been assigned the CVE identifier CVE-2025-2778.
All four vulnerabilities have been rectified by SysAid with the release of on-premise version 24.4.60 in early March 2025. A proof-of-concept (PoC) exploit combining the four vulnerabilities has been made available.
With security flaws in SysAid (CVE-2023-47246) previously exploited by ransomware actors like Cl0p in zero-day attacks, it’s imperative that users update their instances to the latest version.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Reevaluating SSEs: A Technical Gap Analysis of Last-Mile Protection