Listen to this Post

Cybersecurity threats continue to escalate as more enterprises rely on IT support software to manage operations. One such platform, SysAid, is now under scrutiny following the discovery of multiple critical vulnerabilities in its on-premise version. Security researchers have identified three XML External Entity (XXE) injection flaws and an additional OS command injection vulnerability that could allow attackers to execute code remotely—without authentication—and gain elevated privileges.
These flaws, identified as CVE-2025-2775, CVE-2025-2776, CVE-2025-2777, and CVE-2025-2778, pose serious risks, especially to organizations using outdated SysAid versions. The vulnerabilities were disclosed by security experts at watchTowr Labs, who emphasize their ease of exploitation and the potential for full system compromise. SysAid has since addressed these issues in version 24.4.60 b16, released in March 2025.
the Vulnerability Disclosure
Nature of the Vulnerabilities:
Three flaws (CVE-2025-2775, CVE-2025-2776, CVE-2025-2777) are rooted in XML External Entity (XXE) injection issues. These arise when applications fail to securely parse XML input, enabling attackers to manipulate XML entities.
Endpoints Affected:
The XXE vulnerabilities are found in the /mdm/checkin and /lshw endpoints, both of which can be exploited via unauthenticated HTTP POST requests.
Potential Impact:
Unauthorized retrieval of sensitive local files
Exposure of InitAccount.cmd, which contains SysAid admin credentials in plaintext
Full administrative control of the SysAid server
Possibility of chaining with a separate command injection vulnerability (CVE-2025-2778) for remote code execution
Command Injection Vulnerability:
A separate but related vulnerability (CVE-2025-2778) allows for OS command execution when paired with the XXE flaws.
Ease of Exploitation:
The XXE vulnerabilities are considered trivial to exploit, requiring only a crafted HTTP POST request. A public proof-of-concept (PoC) demonstrating the exploit chain is already circulating.
Patch and Mitigation:
SysAid addressed all four vulnerabilities in version 24.4.60 b16. Organizations using older versions are strongly urged to update immediately.
Historical Context:
SysAid has been previously exploited by threat actors such as the Cl0p ransomware group in zero-day attacks (notably CVE-2023-47246), making rapid patching an urgent priority.
What Undercode Say:
These vulnerabilities highlight a broader issue plaguing legacy and self-hosted enterprise software—poor input sanitization and weak endpoint validation. The XML External Entity (XXE) attack vector, although well-known and preventable, continues to resurface in modern applications due to insufficient validation in XML parsers or misconfigured server settings.
Analysis Highlights:
Attack Surface Complexity:
Despite being a relatively niche IT support tool, SysAid presents a wide attack surface due to its XML-based architecture and multiple exposed API endpoints. Attackers leveraging pre-authenticated XXE injections can bypass conventional security controls such as firewalls and login gateways.
Security Oversight:
The fact that sensitive files like InitAccount.cmd—containing plaintext admin credentials—are accessible after installation points to systemic security oversights during setup procedures. These practices violate modern principles of secure software deployment.
Chaining Vulnerabilities:
The real-world risk is compounded by the ability to chain XXE flaws with CVE-2025-2778, an OS command injection vulnerability. This combination allows for full remote code execution, significantly amplifying the threat landscape. It only takes one unpatched SysAid instance to serve as an initial entry point for ransomware or persistent access.
Rapid Exploit Development:
The presence of a PoC less than two months after discovery underscores the rapid response and weaponization capabilities of threat actors. Once exploit code becomes public, it’s only a matter of time before it’s integrated into automated scanning tools or ransomware kits.
Enterprise Exposure:
SysAid is used by companies in finance, healthcare, education, and government sectors. These verticals are particularly sensitive to breaches due to compliance requirements and data protection mandates.
Neglected On-Prem Software:
The case also reveals a growing security gap in on-premise IT software. Unlike cloud platforms, which often benefit from automatic patching and real-time monitoring, on-prem installations depend on administrators to apply updates—a process often delayed due to bureaucracy or technical debt.
Recommendations:
Immediately upgrade to SysAid version 24.4.60 b16
Conduct a forensic review to detect past exploitation
Implement internal network segmentation to limit access to critical IT support software
Disable XML external entity resolution unless strictly needed
Monitor for suspicious outbound connections, especially those triggered by SSRF
Lessons Learned:
This disclosure serves as a warning for software vendors and enterprises alike. Outdated, self-hosted IT tools often harbor dangerous vulnerabilities that can be exploited with minimal effort. The integration of secure coding practices and proper configuration management must become standard practice, not an afterthought.
Fact Checker Results
CVE Validity: All CVEs (2025-2775 to 2025-2778) are registered and reflect active security concerns.
Patch Release Confirmed: SysAid has officially released a patched version (24.4.60 b16) in March 2025.
Exploit PoC Exists: A public proof-of-concept exploit is confirmed and accessible via security research communities.
Prediction
Given the critical nature of these flaws and the availability of a PoC, it’s highly likely that attackers—especially ransomware groups—will begin targeting unpatched SysAid instances in the coming months. Expect to see exploitation attempts spike in underground forums and automated malware campaigns. Enterprises that fail to patch quickly may experience data breaches, unauthorized access, or become unwitting launchpads for lateral attacks within corporate networks. Regulatory repercussions may also follow if sensitive customer or employee data is compromised due to negligence.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.twitter.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2



