The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added two critical vulnerabilities affecting SysAid’s IT support software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
Identified Vulnerabilities:
1. CVE-2025-2775: This vulnerability involves improper restriction of XML external entity (XXE) references within the Checkin processing functionality. Exploitation could lead to administrator account takeover and unauthorized file access.
2. CVE-2025-2776: Similar to the first, this flaw pertains to improper restriction of XXE references in the Server URL processing functionality, also potentially resulting in administrator account takeover and unauthorized file access.
Both vulnerabilities were disclosed by watchTowr Labs researchers Sina Kheirkhah and Jake Knott in May 2025. They, along with CVE-2025-2777—a pre-authenticated XXE vulnerability within the /lshw endpoint—were addressed by SysAid in the on-premise version 24.4.60 build 16, released in early March 2025.
Potential Risks:
The identified vulnerabilities allow attackers to inject malicious XML entities into the web application. This can lead to Server-Side Request Forgery (SSRF) attacks and, in certain scenarios, remote code execution when combined with CVE-2024-36394, a command injection flaw disclosed by CyberArk in June 2024.
Current Exploitation Status:
Details regarding the methods of exploitation for CVE-2025-2775 and CVE-2025-2776 in real-world attacks remain unclear. Information about the threat actors involved, their objectives, or the extent of these attacks has not been disclosed.
Recommended Actions:
To mitigate the risks associated with these vulnerabilities, Federal Civilian Executive Branch (FCEB) agencies are mandated to implement the necessary patches by August 12, 2025. Organizations utilizing SysAid’s on-premise solutions should ensure they have updated to version 24.4.60 build 16 or later to protect against potential exploits.
