SysAid IT Support Software Vulnerabilities Expose Businesses to Remote Code Execution Risks
Cybersecurity experts have revealed critical security vulnerabilities in the on-premise version of SysAid IT support software, presenting significant risks for organizations using this platform. These vulnerabilities, identified as CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777, enable attackers to execute remote commands with elevated privileges, potentially allowing unauthorized access to sensitive systems.
The reported vulnerabilities stem from XML External Entity (XXE) injection flaws, which occur when an attacker successfully manipulates an application’s XML input processing. This exploitation can lead to Server-Side Request Forgery (SSRF) attacks and, in severe cases, to complete remote code execution. The exposed endpoints include /mdm/checkin and /lshw, both of which, according to researchers from watchTowr Labs, are vulnerable to exploitation through crafted HTTP POST requests.
The implications of these vulnerabilities are dire. If successfully exploited, attackers could retrieve local files containing sensitive information, such as the “InitAccount.cmd” file, which discloses administrator account credentials established during the software’s installation. Armed with this information, attackers can attain administrative access to SysAid, potentially compromising the entire system’s integrity.
Compounding the threat, the vulnerabilities could be combined with an operating system command injection flaw, identified as CVE-2024-36394, which was corrected in June 2024. This combination of vulnerabilities represents a considerable risk for SysAid and highlights the importance of timely patch management. Security experts stress the urgency for SysAid users to update to version 24.4.60 build 16, released in March 2025, to mitigate these risks.
Mitre ATT&CK tactics and techniques relevant to this incident include initial access via exploiting vulnerabilities, privilege escalation through the use of sensitive configurations, and potentially leveraging tactics for executing malicious commands remotely. Given the growing landscape of cyber threats, businesses must remain vigilant and proactive in safeguarding their digital assets.
Organizations should consider the potential impact of such vulnerabilities on their operations, particularly in light of past zero-day attacks involving SysAid, which have been exploited by ransomware groups like Cl0p. This situation underscores the importance of robust security protocols and regular software updates in mitigating risks associated with software vulnerabilities.
In summary, the recent disclosures regarding SysAid’s vulnerabilities serve as a critical reminder for business leaders to prioritize cybersecurity proactively. Regularly updating software, conducting risk assessments, and training staff on recognizing potential threats are essential steps in ensuring organizational security in an increasingly hostile digital environment.
