The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about two serious vulnerabilities in the widely used SysAid IT support software. These vulnerabilities are currently being exploited in real-world cyberattacks, and organizations are being urged to patch their systems immediately.
CISA has added both flaws to its Known Exploited Vulnerabilities (KEV) catalog, a list of security issues that pose serious risks due to active exploitation. These vulnerabilities could allow hackers to gain remote access to files and potentially take over administrator accounts.
The two critical flaws now under active exploitation are:
-
CVE-2025-2775 (CVSS score: 9.3) – A flaw in how the SysAid software handles XML external entities (XXE) during the Checkin process. If exploited, this vulnerability can allow attackers to read sensitive files and even take control of an admin account.
-
CVE-2025-2776 (CVSS score: 9.3) – Another XXE flaw, this time in how the system processes the Server URL. Like the previous one, it can be used to read files and escalate privileges to admin level.
Both issues are extremely dangerous due to their high severity scores and the fact that attackers can exploit them remotely without needing valid credentials.
These flaws were initially discovered by Sina Kheirkhah and Jake Knott of watchTowr Labs and publicly disclosed in May 2025. The researchers had also identified a third related flaw — CVE-2025-2777 — a pre-authentication XXE vulnerability found in the /lshw endpoint.
According to security experts, these vulnerabilities can be used for more than just reading files. They can also lead to Server-Side Request Forgery (SSRF) attacks, which trick the system into making unauthorized requests to internal resources.
Even worse, when combined with another known vulnerability — CVE-2024-36394, a command injection flaw discovered by CyberArk — attackers might be able to execute arbitrary code on the server. This would give them full control over the affected system.
SysAid has already issued patches for these vulnerabilities in its on-premise version 24.4.60 build 16, which was released in early March 2025. Organizations using this version should make sure they have applied the update.
For companies using older versions or cloud-hosted deployments, it is critical to check with SysAid for the most current security updates and apply them without delay.
As of now, there is no publicly available information about who is exploiting these flaws or how widespread the attacks are. CISA has not disclosed the identity of the threat actors, their motivations, or the specific organizations targeted.
However, the fact that these vulnerabilities are under active exploitation means that they are likely being used by sophisticated threat groups — possibly even nation-state actors or ransomware gangs — to gain unauthorized access to sensitive networks.
In response to the active threat, Federal Civilian Executive Branch (FCEB) agencies have been mandated by CISA to apply the necessary patches no later than August 12, 2025.
While this directive is specific to federal agencies, CISA strongly recommends that all organizations using SysAid software take immediate steps to mitigate the risks.
To protect your systems from these ongoing cyber threats, consider the following steps:
Update SysAid immediately – Ensure your system is running the patched version (24.4.60 build 16 or later).
Monitor network traffic – Look for unusual outbound requests that may indicate SSRF or data exfiltration.
Restrict external entity processing – Configure your XML parsers to disable XXE processing if not needed.
Review server logs – Check for signs of suspicious activity, such as unauthorized access or abnormal file read attempts.
Segment networks – Prevent lateral movement by isolating critical infrastructure.
Enable least privilege – Ensure admin rights are limited and monitored closely.
This new wave of exploits targeting SysAid vulnerabilities highlights the ongoing importance of timely patch management and vulnerability awareness. With threat actors increasingly focusing on exploiting software flaws in IT management tools, organizations must stay proactive and vigilant.
CISA’s inclusion of these SysAid vulnerabilities in the KEV catalog is a clear signal: these are not just theoretical risks. Exploitation is already happening, and unpatched systems remain vulnerable to serious breaches.
For organizations relying on SysAid for IT support and asset management, securing your infrastructure now can prevent a costly incident later.
Interesting Article : Critical Cisco ISE Flaws Exploited in the Wild, Remote Root Access Without Login
Pingback: Mitel MiVoice MX-ONE Vulnerability Allows Admin Access Without Login