CISA Alerts About Hackers Targeting SysAid Vulnerabilities in Cyber Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has issued urgent warnings about two critical vulnerabilities in SysAid On-Prem systems that are being actively exploited by threat actors in the wild.

The agency has added CVE-2025-2776 and CVE-2025-2775 to its Known Exploited Vulnerabilities (KEV) catalog, signaling immediate security concerns for organizations using the popular IT service management platform.

Both newly cataloged vulnerabilities represent serious XML External Entity (XXE) reference vulnerabilities that fundamentally compromise the security architecture of SysAid On-Prem deployments.

CVE-2025-2776 specifically targets the Server URL processing functionality within the platform, while CVE-2025-2775 exploits weaknesses in the Checkin processing component.

These vulnerabilities are classified under the Common Weakness Enumeration (CWE-611), which addresses improper restriction of XML external entity references.

The technical nature of these vulnerabilities stems from inadequate input validation and sanitization mechanisms within SysAid’s XML processing routines.

When attackers craft malicious XML payloads containing external entity references, the vulnerable systems process these requests without proper security controls, creating pathways for unauthorized access and data extraction.

The dual presence of these vulnerabilities across different functional components of SysAid suggests systemic issues with the platform’s XML handling capabilities.

Security researchers have identified that both vulnerabilities share similar attack vectors and exploitation techniques, indicating they may be part of a broader pattern of security weaknesses within SysAid’s codebase.

The simultaneous discovery and exploitation of these vulnerabilitiesraises concerns about the thoroughness of the vendor’s security testing and code review processes.

SysAid Vulnerabilities

The exploitation of these vulnerabilities grants attackers devastating capabilities within compromised SysAid environments.

Most critically, successful exploitation enables complete administrator account takeover, providing threat actors with elevated privileges across the entire IT service management infrastructure.

This level of access allows attackers to manipulate system configurations, access sensitive help desk data, and potentially pivot to other connected systems within the organization’s network.

For organizations unable to implement adequate mitigations promptly, CISA strongly advises discontinuing use of the affected SysAid products until proper security measures can be established.

Additionally, both vulnerabilities provide file read primitives, enabling attackers to extract sensitive information directly from the server’s file system.

This capability extends beyond typical database access, potentially exposing configuration files, log data, and other critical system information that could facilitate further compromise or reconnaissance activities.

The combination of administrative access and file system reading capabilities creates a powerful attack surface that could support various malicious objectives, from data theft to system manipulation.

While CISA has not yet confirmed whether these vulnerabilities are being used in ransomware campaigns, the organization’s inclusion in the KEV catalog indicates active exploitation in real-world attacks.

The timing and nature of these vulnerabilities make them particularly attractive to ransomware operators seeking initial access vectors into corporate environments.

Mitigations

CISA has issued clear guidance for organizations running SysAid On-Prem systems, emphasizing the critical importance of immediate action.

The agency recommends that affected organizations apply vendor-provided mitigations according to SysAid’s official instructions as the primary remediation approach.

Organizations must also ensure compliance with Binding Operational Directive (BOD) 22-01 guidance, particularly for cloud service implementations that may be affected.

This recommendation underscores the severity of the vulnerabilities and the potential for significant organizational impact if left unaddressed.

Network defenders should prioritize these vulnerabilities within their vulnerability management frameworks, treating them as critical-severity issues requiring immediate attention and resources.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.