Skip to content
Contact us

Critical Vulnerabilities in SysAid IT Support Software: Immediate Update Required

Picture of The 1898 & Co. Team

Recent disclosures have highlighted critical security vulnerabilities in the on-premise version of SysAid IT support software, which could be exploited for pre-authenticated remote code execution with elevated privileges. These vulnerabilities, identified as CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777, are XML External Entity (XXE) injections. They allow attackers to interfere with XML input parsing, potentially leading to Server-Side Request Forgery (SSRF) attacks and remote code execution. The vulnerabilities are considered trivial to exploit and could result in unauthorized access to sensitive information, including administrative credentials.

The vulnerabilities are located within the /mdm/checkin and /lshw endpoints of the SysAid application. Successful exploitation could enable attackers to retrieve local files containing sensitive data, such as the "InitAccount.cmd" file, which includes administrator account details. Furthermore, these XXE vulnerabilities can be combined with an operating system command injection vulnerability (CVE-2025-2778) to achieve remote code execution. SysAid has addressed these issues in version 24.4.60 b16, released in March 2025.

Given the history of SysAid vulnerabilities being exploited by ransomware groups like Cl0p, it is crucial for users to update their software to the latest version immediately. A proof-of-concept exploit demonstrating the combination of these vulnerabilities has been made available, increasing the urgency for patching.

Threats and Vulnerabilities

The primary threat involves XML External Entity (XXE) injection vulnerabilities (CVE-2025-2775, CVE-2025-2776, CVE-2025-2777) in SysAid's on-premise software. These vulnerabilities allow attackers to manipulate XML input parsing, leading to potential SSRF attacks and remote code execution. The affected endpoints are /mdm/checkin and /lshw, which can be exploited via specially crafted HTTP POST requests. The impact includes unauthorized access to sensitive files and administrative credentials.

Additionally, an operating system command injection vulnerability (CVE-2025-2778) can be chained with the XXE flaws to execute arbitrary commands on the server. This combination significantly increases the risk of a full system compromise. The vulnerabilities are particularly concerning for industries relying on SysAid for IT support management, as they could lead to operational disruptions and data breaches.

Client Impact

Clients using SysAid's on-premise version are at risk of significant operational disruptions due to potential unauthorized access and control over their IT support systems. Exploitation of these vulnerabilities could lead to data breaches, exposing sensitive information and administrative credentials. This exposure may result in financial losses and reputational damage, especially if exploited by ransomware groups.

From a compliance perspective, organizations may face regulatory challenges if sensitive data is compromised due to these vulnerabilities. Failure to update the software promptly could lead to audits or penalties under data protection regulations.

Mitigations

To mitigate the risks associated with these vulnerabilities, clients should take the following actions:

  1. Update SysAid to version 24.4.60 b16 or later immediately to address the identified vulnerabilities.
  2. Conduct a thorough review of access logs for any signs of unauthorized access or exploitation attempts.
  3. Implement network segmentation to limit exposure of critical systems and services.
  4. Regularly back up critical data and ensure backups are stored securely offline.
  5. Educate IT staff about the risks associated with XXE and command injection vulnerabilities.

By taking these steps, clients can significantly reduce their risk exposure and enhance their security posture against potential exploitation attempts. It is essential to remain vigilant and proactive in applying security updates and monitoring systems for unusual activity.

1898 & Co. Response

1898 & Co. is actively addressing the current threat landscape by offering specialized services to help clients secure their IT support systems against emerging threats like those affecting SysAid. Our team provides tailored vulnerability assessments and patch management solutions to ensure clients' systems are up-to-date and protected against known exploits.

We are enhancing our security protocols by incorporating advanced threat detection capabilities that focus on identifying XXE and command injection attempts. Our collaboration with industry partners allows us to stay informed about the latest threat intelligence and share insights with our clients.

Our ongoing research efforts are dedicated to understanding new attack vectors and developing effective mitigation strategies. We have successfully assisted several clients in mitigating similar threats through our comprehensive security assessments and incident response services.

Sources

  1. SysAid Security Advisory
  2. CVE Details for CVE-2025-2775
  3. CVE Details for CVE-2025-2776
  4. CVE Details for CVE-2025-2777
  5. Proof-of-Concept Exploit for SysAid Vulnerabilities