CISA has added two recently patched SysAid On-Prem vulnerabilities to its Known Exploited Vulnerabilities catalog.
Identified as CVE-2025-2776 and CVE-2025-2775, the flaws were addressed in early March with the release of SysAid version 24.4.60 of its IT service management software.
Originally discovered by WatchTowr in December 2024, these XXE vulnerabilities were later disclosed in May 2025 along with proof-of-concept exploit code. WatchTowr noted that they could potentially be chained with CVE-2024-36394, a separate OS command injection flaw, to allow unauthenticated remote command execution.
SysAid says its ITSM products are used by 10 million users globally. At the time of disclosure, Shadowserver Foundation found only 77 exposed instances vulnerable to these flaws.
There are no confirmed reports of active exploitation involving CVE-2025-2776 or CVE-2025-2775. Both are similar pre-authentication XXE issues. Interestingly, the OS command injection flaw CVE-2024-36394, which was included in WatchTowr's exploit chain, has not yet been added to the KEV list. CISA has stated that the vulnerabilities have not been linked to ransomware attacks.
Still, past incidents suggest ransomware actors have exploited SysAid flaws before. In 2023, Cl0p ransomware affiliates targeted a zero-day vulnerability labeled CVE-2023-47246.
CyberSecurityInSights has contacted both WatchTowr and SysAid for further comment and will provide updates if a response is received.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
