The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two SysAid On-Prem vulnerabilities, CVE-2025-2775 and CVE-2025-2776, to its Known Exploited Vulnerabilities (KEV) catalog, confirming they are being actively exploited in the wild.
The flaws stem from improper handling of XML input (XXE), allowing unauthenticated attackers to:
- Exfiltrate sensitive local files (including admin credentials)
- Take over administrator accounts
- Launch further attacks (such as remote command execution when chained with other flaws like CVE-2024-36394)
Federal agencies have been mandated to patch by August 12, 2025 under Binding Operational Directive 22-01. Private organizations are urged to act with equal urgency.
Technical Overview
- CVE-2025-2775: XXE vulnerability in the /mdm/checkin endpoint
- CVE-2025-2776: XXE flaw in the ServerURL processing endpoint
- CVSS Score: 9.3 (Critical)
- Threat Type: Remote Exploitation | Unauthenticated XXE
- Affected Product: SysAid On-Prem (<= v23.3.40)
- Patched Version: v24.4.60
- Attack Vector: Remote | No authentication required
Attackers can submit malicious XML payloads to these endpoints to retrieve local files or manipulate the application logic. WatchTowr’s proof-of-concept demonstrates full admin takeover and RCE via batch file execution.
Attack Flow (Simplified)
- Attacker discovers exposed SysAid instance
- Sends crafted XML payload to vulnerable endpoint
- Server fetches attacker’s DTD and processes malicious entities
- Admin credentials exfiltrated → Remote code execution triggered
Why It Matters
SysAid serves over 5,000 organizations worldwide, including Fortune 500 companies like Xerox, Honda, and Coca-Cola.
Dozens of vulnerable instances are currently exposed to the internet, most in North America and Europe.
In 2023, the Clop ransomware group used a SysAid zero-day to launch ransomware attacks.
While no ransomware cases have been directly linked to CVE-2025-2775/2776 (yet), these flaws provide a direct pathway to domain compromise.
Indicators of Compromise (IOCs)
| Indicator | Description |
| Unauthenticated XML requests | Look for unusual or unauthenticated requests to /mdm/checkin or /lshw |
| Access to InitAccount.cmd | Attempts to access SysAid setup scripts like InitAccount.cmd |
| Unexpected creation of admin users | New administrator-level accounts appearing without change justification |
| Outbound traffic to suspicious domains | Connections to attacker-controlled domains over HTTP from SysAid infrastructure |
Recommended Actions
Organizations using SysAid On-Prem are strongly urged to upgrade to version 24.4.60 or later without delay. Release Notes
In addition to patching, organizations should take steps to harden their network posture. Specifically, limit the exposure of SOAP endpoints, such as /mdm/checkin and /lshw, by ensuring they are only accessible from trusted internal networks.
These endpoints were the primary vector used in the reported exploits and should not be reachable from the public internet.
Network-level defenses should also be implemented. Intrusion detection and prevention systems (IDS/IPS) should be configured to detect XML External Entity (XXE) injection attempts. SonicWall, for example, has released a set of signatures (IPS 20990 through 20994) designed to identify and block these attacks.
Stay Safe. Stay Secure.
OP Innovate Research Team
