CyberSecurity news
FlagThis
@www.helpnetsecurity.com
//
A pre-authenticated Remote Code Execution (RCE) vulnerability chain has been discovered in SysAid On-Premises, a self-hosted IT service management platform. Researchers at watchTowr Labs have disclosed technical details and a proof-of-concept exploit for this vulnerability, identified as CVE-2025-2775 along with related XXE injection vulnerabilities (CVE-2025-2776, CVE-2025-2777). The flaws allow threat actors to execute arbitrary code on affected systems without prior authentication. This vulnerability affects the on-premise version of SysAid IT support software, posing a significant risk to organizations using the platform.
SysAid addressed these critical vulnerabilities in early March 2025 with the release of on-premise version 24.4.60 b16. The vulnerabilities are XML External Entity (XXE) injections within specific endpoints (/mdm/checkin and /lshw), which can be exploited via specially crafted HTTP POST requests. Successful exploitation could allow attackers to retrieve sensitive local files, including the "InitAccount.cmd" file containing administrator credentials. This access can then be leveraged to gain full administrative control over the SysAid instance.
The severity of the XXE flaws is compounded by the possibility of chaining them with a separate operating system command injection vulnerability (CVE-2025-2778), enabling remote code execution. Given SysAid's history of being targeted by ransomware groups, including the exploitation of CVE-2023-47246 in zero-day attacks, security experts are urging users to immediately update their SysAid On-Premises installations to the latest version to mitigate the risk of exploitation. A proof-of-concept (PoC) exploit combining the four vulnerabilities has been made available, further emphasizing the need for immediate patching.
ImgSrc: img.helpnetsecu
References :
SysAid addressed these critical vulnerabilities in early March 2025 with the release of on-premise version 24.4.60 b16. The vulnerabilities are XML External Entity (XXE) injections within specific endpoints (/mdm/checkin and /lshw), which can be exploited via specially crafted HTTP POST requests. Successful exploitation could allow attackers to retrieve sensitive local files, including the "InitAccount.cmd" file containing administrator credentials. This access can then be leveraged to gain full administrative control over the SysAid instance.
The severity of the XXE flaws is compounded by the possibility of chaining them with a separate operating system command injection vulnerability (CVE-2025-2778), enabling remote code execution. Given SysAid's history of being targeted by ransomware groups, including the exploitation of CVE-2023-47246 in zero-day attacks, security experts are urging users to immediately update their SysAid On-Premises installations to the latest version to mitigate the risk of exploitation. A proof-of-concept (PoC) exploit combining the four vulnerabilities has been made available, further emphasizing the need for immediate patching.
ImgSrc: img.helpnetsecu
Share:
References :
- Arctic Wolf: CVE-2025-2775: PoC Released for SysAid On-Premises Pre-Auth RCE Vulnerability
- labs.watchtowr.com: SysOwned, Your Friendly Support Ticket - SysAid On-Premise Pre-Auth RCE Chain (CVE-2025-2775 And Friends) - watchTowr Labs
- The Hacker News: Threat actors can achieve pre-authenticated remote code execution on the on-premise version of SysAid IT support software
- www.scworld.com: Significant RCE compromise likely with SysAid vulnerabilities
- Help Net Security: HelpNetSecurity reports on PoC exploit for SysAid pre-auth RCE released, upgrade quickly!
Classification:
- HashTags: #RCE #SysAid #ITSM
- Company: SysAid
- Target: Organizations using SysAid
- Product: SysAid On-Premises
- Feature: Remote Code Execution
- Malware: CVE-2025-2775, CVE-2025-2776, CVE-2025-2777
- Type: Vulnerability
- Severity: Critical