On-premises SysAid IT support software instances have been impacted by a trio of XML External Entity injection vulnerabilities, tracked as CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777, which could be leveraged to facilitate pre-authenticated remote code execution and escalated privileges, eventually resulting in server-side request forgery and RCE intrusions, reports The Hacker News.
Threat actors with a specially crafted HTTP POST request to the vulnerable endpoints could exploit the XXE flaws to access sensitive local files containing admin account credentials, as well as chain them with the command injection bug, tracked as CVE-2025-2778, to enable RCE, according to watchTowr Labs researchers, which identified and reported the first three security issues. Organizations have been advised to immediately update on-premises SysAid software to version 24.4.60 b16, which resolves all of the mentioned security vulnerabilities, especially with the older SysAid flaw, tracked as CVE-2023-47426, having been abused by the Clop ransomware operation in zero-day intrusions.
Threat actors with a specially crafted HTTP POST request to the vulnerable endpoints could exploit the XXE flaws to access sensitive local files containing admin account credentials, as well as chain them with the command injection bug, tracked as CVE-2025-2778, to enable RCE, according to watchTowr Labs researchers, which identified and reported the first three security issues. Organizations have been advised to immediately update on-premises SysAid software to version 24.4.60 b16, which resolves all of the mentioned security vulnerabilities, especially with the older SysAid flaw, tracked as CVE-2023-47426, having been abused by the Clop ransomware operation in zero-day intrusions.
