Article Details
Scrape Timestamp (UTC): 2025-05-07 11:38:46.219
Source: https://thehackernews.com/2025/05/sysaid-patches-4-critical-flaws.html
Original Article Text
Click to Toggle View
SysAid Patches 4 Critical Flaws Enabling Pre-Auth RCE in On-Premise Version. Cybersecurity researchers have disclosed multiple security flaw in the on-premise version of SysAid IT support software that could be exploited to achieve pre-authenticated remote code execution with elevated privileges. The vulnerabilities, tracked as CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777, have all been described as XML External Entity (XXE) injections, which occur when an attacker is able to successfully interfere with an application's parsing of XML input. This, in turn, could permit attackers to inject unsafe XML entities into the web application, allowing them to carry out a Server-Side Request Forgery (SSRF) attack and in worst cases, remote code execution. A description of the three vulnerabilities, according to watchTowr Labs researchers Sina Kheirkhah and Jake Knott, is as follows - watchTowr Labs described the vulnerabilities as trivial to exploit by means of a specially crafted HTTP POST request to the endpoints in question. Successful exploitation of the flaws could enable an attacker to retrieve local files containing sensitive information, including SysAid's own "InitAccount.cmd" file, which contains information about the administrator account username and plaintext password created during installation. Armed with this information, the attacker could then gain full administrative access to SysAid as an administrator-privileged user. To make matters worse, the XXE flaws could be chained with another operating system command injection vulnerability – discovered by a third-party – to achieve remote code execution. The command injection issue has been assigned the CVE identifier CVE-2025-2778. All four vulnerabilities have been rectified by SysAid with the release of on-premise version 24.4.60 in early March 2025. A proof-of-concept (PoC) exploit combining the four vulnerabilities has been made available. With security flaws in SysAid (CVE-2023-47246) previously exploited by ransomware actors like Cl0p in zero-day attacks, it's imperative that users update their instances to the latest version.
Daily Brief Summary
Cybersecurity researchers revealed multiple critical vulnerabilities in the on-premise version of SysAid IT support software.
The flaws, identified as CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777, involve XML External Entity (XXE) injections allowing pre-authenticated remote code execution.
Attackers could exploit these to perform Server-Side Request Forgery (SSRF) attacks and potentially execute remote code by injecting unsafe XML entities.
An additional related vulnerability, CVE-2025-2778, involves OS command injection, which could further facilitate remote code execution.
Successful exploitation could allow unauthorized access to sensitive data, including plaintext administrator passwords, enabling full administrative control.
SysAid has released a software update version 24.4.60 to patch these vulnerabilities.
A proof-of-concept (PoC) exploit showing the combined use of these vulnerabilities has been made public, raising the urgency for updates.
This is not the first time SysAid has been targeted; previous exploitations were reported in CVE-2023-47246 incidents involving ransomware attacks by Cl0p.