SysAid ITSM Platform Vulnerabilities Allows Pre-authenticated Remote Command Execution

A critical vulnerability chain in SysAid’s On-Premise IT Service Management (ITSM) platform that allows attackers to achieve pre-authenticated Remote Command Execution (RCE). 

The findings detail how multiple XML External Entity (XXE) vulnerabilities combined with an OS command injection flaw create a dangerous attack vector against the widely used enterprise software.

Three XXE vulnerabilities identified (CVE-2025-2775, CVE-2025-2776, CVE-2025-2777) that can be exploited without authentication. 

These flaws exist in SysAid’s Mobile Device Management (MDM) endpoints and the hardware inventory service, allowing attackers to extract sensitive system files.

“We identified that a critical file containing administrator credentials in plaintext remains on the filesystem post-installation,” watchTowr Labs researchers shared with Cyber Security News.

“Using our XXE vulnerabilities, we could extract the administrator password from the InitAccount.cmd file, giving us full administrative access to the platform.”

Technical Details: XXE and Command Injection

The vulnerability chain begins with three distinct XML External Entity (XXE) vulnerabilities (CVE-2025-2775, CVE-2025-2776, CVE-2025-2777) present in SysAid’s Mobile Device Management (MDM) and hardware inventory endpoints. 

These flaws allow attackers to send crafted XML payloads that force the application to disclose sensitive files from the server’s filesystem.

Researchers found that the file InitAccount.cmd, left behind after installation, contains plaintext administrator credentials. By exploiting the XXE vulnerabilities, attackers can extract this file and obtain the admin password.

With administrative access, attackers can then leverage a post-authentication OS command injection vulnerability (CVE-2025-2778) in the API.jsp endpoint. 

This flaw allows arbitrary command execution via the javaLocation parameter, which is unsafely incorporated into shell scripts.

This vulnerability chain is particularly concerning because SysAid ITSM solutions are business-critical applications that contain sensitive information about internal tickets, incidents, knowledge base entries, and asset inventories. 

Affected Version and Remediation

All SysAid On-Premise installations running versions 23.3.40 or earlier are affected.

SysAid has addressed these vulnerabilities in version 24.4.60, released in March 2025. Organizations using SysAid On-Premise are strongly urged to update immediately.

This isn’t the first time SysAid has faced serious security issues. In November 2023, a zero-day vulnerability (CVE-2023-47246) was exploited by the threat group Lace Tempest, also known as DEV-0950. 

That vulnerability allowed attackers to upload malicious WAR archives to gain unauthorized access.

“ITSM solutions remain an extremely attractive target to ransomware gangs who look for any opportunity to double-extort organizations, encrypt systems, and steal sensitive data,” researchers.

Organizations using SysAid On-Premise should:

• Immediately update to version 24.4.60 or later.
• Conduct a comprehensive security assessment to identify potential compromise.
• Review logs for suspicious activities related to the vulnerable endpoints.
• Implement network-level protections to restrict access to SysAid instances.

Security experts emphasize that enterprise software with extensive feature sets like SysAid often have enlarged attack surfaces. 

The discovery underscores the importance of regular security assessments for business-critical applications, as they remain prime targets for sophisticated threat actors.

Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download

The post SysAid ITSM Platform Vulnerabilities Allows Pre-authenticated Remote Command Execution appeared first on Cyber Security News.