Proof-of-Concept Released for SysAid On-Premise

Four vulnerabilities could allow an attacker to perform unauthenticated remote command execution

Threat ID:: CC-4651
Threat Severity:: Medium
Published:: 7 May 2025 10:57 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Four vulnerabilities could allow an attacker to perform unauthenticated remote command execution

Affected platforms

The following platforms are known to be affected:

Versions: All prior to 24.4.60 (On-premise)

SysAid

Threat details

Exploitation of CVE-2025-2775, CVE-2025-2776, CVE-2025-2777, and CVE-2025-2778 (CVE-2024-36394)

Security researchers have confirmed exploitation of CVE-2025-2775, CVE-2025-2776, CVE-2025-2777, and CVE-2025-2778 (CVE-2024-36394) in the wild. Further exploitation is considered highly likely.

The vulnerability identified as CVE-2025-2778 has been rejected and re-identified as a previously discovered vulnerability known as CVE-2024-36394.

Introduction

In March 2025, SysAid released updates addressing XML (extensible markup language) external entity vulnerabilities and an OS command injection vulnerability in its on-premise platform. SysAid is an IT service management platform.

Cyber Security firm watchTowr Labs has released proof-of-concept exploit code for four vulnerabilities, which were addressed in SysAid's March 2025 release.

Vulnerability Details

The first two vulnerabilities, CVE-2025-2775 and CVE-2025-2776, are pre-authentication XML external entity (XXE) injection vulnerabilities within the /mdm endpoint. Successful exploitation could allow an unauthenticated attacker to disclose sensitive information or perform denial-of-service (DoS). SysAid has identified these vulnerabilities as SYSAID-11223.

A third vulnerability, designated CVE-2025-2777, is a pre-authentication XXE injection vulnerability within the /lshw endpoint. Successful exploitation could allow an unauthenticated attacker to disclose sensitive information or perform DoS. SysAid has identified this vulnerability as SYSAID-11224.

A final vulnerability, designated CVE-2024-36394, is an OS command injection vulnerability. Successful exploitation could allow an authenticated attacker to inject commands into the underlying operating system. SysAid has identified this vulnerability as SYSAID-11246.

Threat updates

Date	Update
23 May 2025	Updated vulnerability details to reflect rejection of CVE-2025-2778 and re-assignment of CVE-2024-36394. Vulnerability details for CVE-2025-2775, CVE-2025-2776 and CVE-2025-2777 added.
23 May 2025	Exploitation of CVE-2025-2775, CVE-2025-2776, CVE-2025-2777, and CVE-2025-2778 (CVE-2024-36394)

Remediation advice

Affected organisations are encouraged to review SysAid's 24.4.60 release notes and apply the relevant updates as soon as practicable.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2025-2775

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.

Status Published

CVE-2025-2776

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.

Status Published

CVE-2025-2777

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and file read primitives.

Status Published

CVE-2024-36394

SysAid - CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Status Rejected

CVE-2025-2778

Last edited: 23 May 2025 2:41 pm