SysAid Patches Critical Flaws That Could Allow Remote Command Execution
SysAid has released important security updates for its IT service management (ITSM) software to address a set of vulnerabilities that could be exploited together for unauthenticated remote command execution.
The vulnerabilities were detailed on Wednesday by security firm WatchTowr. According to the company, its researchers uncovered multiple XML External Entity (XXE) vulnerabilities that can be exploited through specially crafted requests by attackers without authentication.
These flaws could allow threat actors to access sensitive local files, including those granting full administrative control over SysAid, interact with other systems on the same network, and potentially cause denial-of-service conditions.
Initially, WatchTowr was unable to achieve remote command execution. However, this changed when researchers examined SysAid’s update, which not only fixed the XXE vulnerabilities but also addressed a separate authenticated operating system command injection flaw that had been discovered by an anonymous researcher.
Upon closer inspection, WatchTowr found that this OS command injection issue could be combined with one of the XXE vulnerabilities to achieve unauthenticated remote command execution.
The identified vulnerabilities are tracked as CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777 for the XXE issues, and CVE-2025-2778 for the command injection flaw.
SysAid addressed all four vulnerabilities in version 24.4.60, which was released in early March. All versions up to and including 23.3.40 remain vulnerable.
WatchTowr noted that the disclosure process with SysAid did not go as smoothly as expected, stating that the vendor only responded at the initial stage of communication. Meanwhile, The Shadowserver Foundation reported on Wednesday that it had found 77 internet-facing SysAid instances that still appear to be unpatched.
A proof-of-concept (PoC) exploit has been published by WatchTowr, demonstrating how these flaws can be used to carry out unauthenticated remote command execution.
It is critical for organizations to address these issues promptly, especially given the history of SysAid being targeted by both cybercriminals and state-sponsored hackers. In recent years, vulnerabilities in SysAid products have been used in high-profile attacks.
SysAid reports that its ITSM solutions serve around 10 million users in over 140 countries.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
