On May 7, 2025, cybersecurity researchers uncovered multiple security flaws in the on-premise version of SysAid IT support software that could lead to pre-authenticated remote code execution with elevated privileges. These vulnerabilities, identified as CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777, are XML External Entity (XXE) injections, allowing attackers to manipulate XML input to carry out Server-Side Request Forgery (SSRF) attacks and potentially achieve remote code execution.
Researchers from watchTowr Labs, Sina Kheirkhah, and Jake Knott, described the vulnerabilities as pre-authenticated XXE within specific endpoints of the SysAid software. These flaws could be exploited through specially crafted HTTP POST requests to the vulnerable endpoints, making it trivial for attackers to exploit them.
Exploiting these vulnerabilities could enable attackers to access sensitive local files, including SysAid’s “InitAccount.cmd” file containing administrator account credentials. With this information, attackers could gain full administrative access to SysAid as an administrator-privileged user. Additionally, these XXE flaws could be combined with an operating system command injection vulnerability (CVE-2025-2778) to achieve remote code execution.
SysAid has released a patch in version 24.4.60 b16 to address these vulnerabilities, alongside a proof-of-concept (PoC) exploit showcasing the chain of vulnerabilities. Given the history of SysAid vulnerabilities being exploited in zero-day attacks, users are strongly advised to update their instances to the latest version to mitigate the risk of potential exploitation.
Source link