Cybersecurity experts have uncovered a series of high-risk vulnerabilities affecting the on-premise edition of SysAid IT support software. These flaws could allow unauthenticated attackers to remotely execute code with elevated privileges, potentially giving them full control of targeted systems.
Overview of the Discovered Vulnerabilities
The security loopholes, identified as CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777, stem from improper handling of XML input, specifically, XML External Entity (XXE) injection vulnerabilities. When exploited, XXE flaws allow malicious actors to manipulate how XML data is processed by a server.
According to researchers Sina Kheirkhah and Jake Knott from watchTowr Labs, two of the flaws (CVE-2025-2775 and CVE-2025-2776) reside in the /mdm/checkin endpoint, while the third (CVE-2025-2777) is linked to the /lshw endpoint. All three can be abused using a simple, unauthenticated HTTP POST request.
From File Access to Full Compromise
Successful exploitation of these vulnerabilities could lead to sensitive file disclosures. One example cited by the researchers is access to the InitAccount.cmd file, an installation file that stores the administrator’s username and password in plaintext.
With that information in hand, attackers could log in with administrative rights, gaining unrestricted access to the SysAid platform.
Chaining Vulnerabilities for Maximum Impact
Worryingly, these XXE issues can be chained with an unrelated but critical operating system command injection vulnerability, assigned CVE-2025-2778. When combined, the flaws enable attackers to not only read sensitive files but also execute arbitrary commands on the server.
This makes the vulnerabilities especially dangerous for organizations that have not updated their SysAid installations.
Patches and Urgent Recommendations
The good news is that SysAid has addressed all four issues in its on-premise version 24.4.60 b16, which was released in early March 2025. A proof-of-concept (PoC) attack demonstrating the chained exploitation method has been published, raising the stakes for unpatched environments.
Given the history of SysAid vulnerabilities being used in zero-day attacks by ransomware groups like Cl0p (notably CVE-2023-47246), immediate action is advised. Organizations still using older versions should upgrade without delay to protect against potential exploitation.
The ease of exploitation and the critical nature of the information exposed make these vulnerabilities a top priority for system administrators. Prompt patching and a thorough review of current access logs and system configurations are essential steps toward securing affected environments.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: