Critical Vulnerabilities Discovered in SysAid IT Support Software

On May 7, 2025, cybersecurity researchers unveiled multiple security flaws in the on-premise version of SysAid IT support software. These vulnerabilities could potentially allow attackers to execute remote code with elevated privileges, posing significant risks to organizations relying on this software for IT management.

Overview of the Vulnerabilities

The vulnerabilities, identified as CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777, are categorized as XML External Entity (XXE) injections. Such vulnerabilities arise when an attacker manipulates an application’s XML input parsing, leading to unauthorized actions within the system. This exploitation could enable attackers to inject unsafe XML entities, facilitating Server-Side Request Forgery (SSRF) attacks and, in severe cases, remote code execution.

Specific Vulnerability Details

1. CVE-2025-2775 and CVE-2025-2776: These vulnerabilities are found within the /mdm/checkin endpoint and allow pre-authenticated XXE attacks.

2. CVE-2025-2777: This vulnerability is located within the /lshw endpoint, also permitting pre-authenticated XXE attacks.

Researchers from watchTowr Labs noted that these vulnerabilities are relatively easy to exploit through specially crafted HTTP POST requests directed at the affected endpoints.

Potential Impact of Exploitation

If successfully exploited, these vulnerabilities could allow attackers to access sensitive local files, including SysAid’s "InitAccount.cmd" file. This file contains critical information such as the administrator account username and plaintext password established during installation. With this data, an attacker could gain full administrative access to SysAid, effectively compromising the entire system.

Moreover, the XXE vulnerabilities could be combined with another command injection vulnerability, identified as CVE-2025-2778, discovered by a third-party researcher. This combination could lead to remote code execution, amplifying the threat posed by the initial vulnerabilities.

Mitigation and Response

In response to these critical vulnerabilities, SysAid has released an update in early March 2025, rectifying all four identified issues in the on-premise version 24.4.60 b16. A proof-of-concept (PoC) exploit demonstrating the combined vulnerabilities has also been made available, highlighting the urgency for users to secure their systems.

Given the history of security flaws in SysAid, including previous vulnerabilities exploited by ransomware groups like Cl0p, it is crucial for users to update their instances to the latest version promptly. Failure to do so could leave organizations vulnerable to attacks that exploit these critical flaws.

Conclusion

The discovery of these vulnerabilities in SysAid IT support software underscores the importance of regular software updates and vigilant cybersecurity practices. Organizations must prioritize the security of their IT infrastructure to mitigate risks associated with such vulnerabilities. By staying informed and proactive, businesses can better protect themselves against potential cyber threats.

For ongoing updates and insights into cybersecurity, follow us on Twitter and LinkedIn.