What specific vulnerabilities were found in SysAid's software?

The researchers identified three XML External Entity (XXE) injection vulnerabilities that can be exploited without authentication: CVE-2025-2775 (CVSS score 9.3) in the `/mdm/checkin` endpoint, CVE-2025-2776 (CVSS score 9.3) in the `/mdm/serverurl` endpoint, and CVE-2025-2777 (CVSS score 9.3) in the `/lshw` endpoint. When combined with a post-authentication OS command injection vulnerability CVE-2025-2778 (CVSS score 9.8), these flaws create a complete attack chain for remote code execution.

How does the attack chain work in the SysAid vulnerabilities?

The attack chain works as follows: 1) Attackers first exploit one of the XXE vulnerabilities to extract sensitive information from the target system, targeting the `InitAccount.cmd` file. 2) This file contains the plaintext administrator credentials created during installation, which remain accessible even after setup is complete. 3) Using these administrator credentials, attackers can authenticate to the application and exploit the OS command injection vulnerability (CVE-2025-2778). 4) The command injection vulnerability allows attackers to inject arbitrary commands into batch files that are subsequently executed with SYSTEM privileges.

What should organizations using SysAid do to protect themselves?

Organizations using SysAid On-Premise are strongly urged to update to version 24.4.60 b16 or newer versions to protect against these vulnerabilities.

Advisory

Critical Pre-Auth RCE vulnerabilities discovered in SysAid On-Premise IT support software

Q: What security vulnerabilities have been discovered in SysAid's software?

Cybersecurity researchers from watchTowr Labs have reported multiple critical security vulnerabilities in SysAid's on-premise IT support software. When chained together, these flaws allow attackers to achieve pre-authenticated remote code execution with SYSTEM privileges.

Q: Have previous SysAid vulnerabilities been exploited by attackers?

Yes, previous vulnerabilities in SysAid (CVE-2023-47246) have been exploited by ransomware operators like Cl0p as zero-day attacks. Since ITSM solutions like SysAid serve as business-critical infrastructure containing sensitive organizational data, they remain attractive targets for attackers seeking to exfiltrate data or deploy ransomware.

Q: Has SysAid fixed these vulnerabilities?

Yes, SysAid has fixed all four vulnerabilities in version 24.4.60 b16, released in early March 2025.

published: May 7, 2025

Take action: If you're using SysAid On-Premise (version 23.3.40 or earlier), update immediately to version 24.4.60 b16 or newer. These vulnerabilities have already been weaponized with a public proof-of-concept exploit, and SysAid has previously been targeted by ransomware groups. It's only a matter of time before youe SysAid is attacked.

Learn More

Cybersecurity researchers from watchTowr Labs are reporting multiple critical security vulnerabilities in SysAid's on-premise IT support software. When chained together, these flaws allow attackers to achieve pre-authenticated remote code execution with SYSTEM privileges.

The researchers identified three XML External Entity (XXE) injection vulnerabilities that can be exploited without authentication:

CVE-2025-2775 (CVSS score 9.3) - Pre-Authentication XXE vulnerability in the /mdm/checkin endpoint
CVE-2025-2776 (CVSS score 9.3) - Pre-Authentication XXE vulnerability in the /mdm/serverurl endpoint
CVE-2025-2777 (CVSS score 9.3) - Pre-Authentication XXE vulnerability in the /lshw endpoint

When combined with a post-authentication OS command injection vulnerability CVE-2025-2778 (CVSS score 9.8) discovered by an unknown third party, these flaws create a complete attack chain for remote code execution.

The researchers detailed a sophisticated attack chain involving these vulnerabilities:

Attackers first exploit one of the XXE vulnerabilities to extract sensitive information from the target system, targeting the InitAccount.cmd file.
This file contains the plaintext administrator credentials created during installation, which remain accessible even after setup is complete.
Using these administrator credentials, attackers can authenticate to the application and exploit the OS command injection vulnerability (CVE-2025-2778).
The command injection vulnerability exists in how the application handles the javaLocation parameter, allowing attackers to inject arbitrary commands into batch files that are subsequently executed with SYSTEM privileges.

These flaws affect all versions of SysAid On-Premise up to and including version 23.3.40.

Previous vulnerabilities in SysAid ( CVE-2023-47246) have been exploited by ransomware operators like Cl0p as zero-day attacks. Since ITSM solutions like SysAid serve as business-critical infrastructure containing sensitive organizational data, they remain attractive targets for attackers seeking to exfiltrate data or deploy ransomware.

SysAid has fixed all four vulnerabilities in version 24.4.60 b16, released in early March 2025. Organizations using SysAid On-Premise are strongly urged to update to this or newer versions.

Critical Pre-Auth RCE vulnerabilities discovered in SysAid On-Premise IT support software

Read More
Critical Command Injection Vulnerability in Legacy Vivotek Cameras
Flaw in Libraesva Email Security Gateway exploited by …
QNAP fixes critical flaws in multiple products
IBM reports critical flaws in AIX Network Installation …
Fortinet reports FortiClient critical flaw and issues in …