Date: 9 May 2025

SysAid has released security updates addressing four critical vulnerabilities in its on-premise IT support software. These flaws allow unauthenticated remote attackers to execute code with elevated privileges, placing affected environments at high risk of full system compromise.

Affected Product

  • SysAid On-Premise IT Support Software (versions earlier than 24.4.60 b16)

Vulnerability Overview

Four CVEs have been identified, including three XML External Entity (XXE) injection flaws and one command injection vulnerability. Exploitation requires no user interaction or authentication.

  • CVE-2025-2775 and CVE-2025-2776 affect the /mdm/checkin endpoint and allow unsafe XML parsing
  • CVE-2025-2777 affects the /lshw endpoint and has similar impact
  • CVE-2025-2778 allows operating system command injection and can be chained with the XXE vulnerabilities to achieve remote code execution

Technical Details

The vulnerabilities allow attackers to craft malicious XML input that is processed without proper validation. This can be used to perform server-side request forgery (SSRF), read sensitive local files, and escalate privileges.

One critical file often targeted is InitAccount.cmd, which contains the administrator username and password in plain text. If retrieved, attackers can gain full administrative access to the SysAid platform.

When combined with the command injection vulnerability, attackers can execute arbitrary commands on the host operating system. These attacks can be launched via simple HTTP POST requests to exposed endpoints.

A public proof-of-concept exploit has been released, increasing the likelihood of widespread or opportunistic attacks.

Impact

  • Full compromise of the SysAid on-premise server
  • Exposure of administrative credentials and configuration data
  • Potential for lateral movement across internal systems
  • Risk of ransomware deployment or destructive payloads
  • Service disruption affecting IT support operations

Mitigation and Recommendations

Immediate Actions

  • Upgrade to SysAid version 24.4.60 b16 or later. This update addresses all known vulnerabilities.
  • If you cannot upgrade immediately, restrict access to the SysAid web interface to internal, trusted networks only.
  • Monitor system and web server logs for unusual POST requests targeting /mdm/checkin or /lshw.
  • Rotate administrator credentials, especially if compromise is suspected or confirmed.

Long-Term Recommendations

  • Implement network segmentation for IT management systems
  • Enforce multi-factor authentication for all administrative access
  • Regularly apply vendor patches and updates as soon as they are released
  • Perform periodic security reviews, including vulnerability scans and penetration testing

Detection

Watch for unusual or repeated HTTP POST requests to the vulnerable endpoints. Investigate any suspicious access to files like InitAccount.cmd or evidence of unexpected command execution. Security monitoring tools and intrusion detection systems should be updated with relevant signatures or indicators of compromise.

Summary for SOC Teams

  • Severity: Critical (Pre-auth RCE with admin access)
  • Attack Vector: Remote, unauthenticated HTTP POST requests
  • Exploitation Ease: Trivial with publicly available PoC
  • Impact: Full system compromise
  • Required Action: Immediate patching and network access control

Reference

 

Need Help?

If your organisation requires assistance identifying affected systems, applying updates or adjusting controller configurations, our team is here to help. Email us via soc@secure-iss.com for assistance.