The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two security flaws impacting SysAid IT support software to its Known Exploited Vulnerabilities (KEV) catalog. This decision stems from evidence of active exploitation.
The following vulnerabilities include:
- CVE-2025-2775 (CVSS score: 9.3) – This vulnerability involves an improper restriction of XML external entity (XXE) reference in the Checkin processing functionality, which allows for administrator account takeover and file read primitives.
- CVE-2025-2776 (CVSS score: 9.3) – Similarly, this vulnerability features an improper restriction of XML external entity (XXE) reference in the Server URL processing functionality, enabling administrator account takeover and file read primitives.
WatchTowr Labs researchers Sina Kheirkhah and Jake Knott disclosed both shortcomings back in May. They also reported CVE-2025-2777 (CVSS score: 9.3), which presents a pre-authenticated XXE within the /lshw endpoint.
SysAid addressed the three Vulnerabilities in the on-premise version 24.4.60 build 16, which the company released in early March 2025.
The cybersecurity firm noted that these Vulnerabilities could allow attackers to inject unsafe XML entities into the web application. Consequently, this situation may result in a Server-Side Request Forgery (SSRF) attack, and in some cases, remote code execution when chained with CVE-2024-36394, a command injection flaw revealed by CyberArk last June.
Currently, it remains unknown how CVE-2025-2775 and CVE-2025-2776 are being Exploited in Real-world attacks. Additionally, no information is available regarding the identity of the threat actors, their end goals, or the scale of these efforts.
To safeguard against the active threat, Federal Civilian Executive Branch (FCEB) agencies must apply the necessary fixes by August 12, 2025.
Source: TheHackerNews
Read more at Impreza News
