CISA warns of hackers exploiting SysAid vulnerabilities in attacks
CISA has warned that attackers are actively exploiting two security vulnerabilities in the SysAid IT service management (ITSM) software to hijack administrator accounts.
The two unauthenticated XML External Entity (XXE) flaws, tracked as CVE-2025-2775 and CVE-2025-2776, were reported by watchTowr Labs security researchers in December 2024 and patched in March with the release of SysAid On-Prem version 24.4.60.
One month later, watchTowr Labs also published proof-of-concept code, showing that the SysAid vulnerabilities are trivial to exploit and allow attackers to retrieve local files containing sensitive information.
While CISA didn't share any additional details regarding these ongoing attacks, it did add the two vulnerabilities to its Known Exploited Vulnerabilities Catalog, giving Federal Civilian Executive Branch (FCEB) agencies three weeks to patch their systems by August 12 as mandated by the November 2021 Binding Operational Directive (BOD) 22-01.
Although BOD 22-01 primarily targets U.S. federal agencies, the cybersecurity agency encourages all organizations, including private companies, to prioritize patching the two actively exploited flaws as soon as possible.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned.
SysAid On-Prem is hosted on customers' infrastructure, enabling IT teams to manage various services within an organization. According to Shadowserver data, dozens of SysAid instances are currently exposed online, most of them from North America and Europe.
CISA has found no evidence that the two security flaws were exploited in ransomware attacks. However, the FIN11 financially motivated cybercrime group exploited a SysAid vulnerability (CVE-2023-47246) in 2023 to deploy Clop ransomware on compromised servers in zero-day attacks.
"At SysAid, we take security very seriously and would like to assure our users that we have addressed and mitigated these vulnerabilities through appropriate patches," a SysAid spokesperson told BleepingComputer.
"We have also provided CISA with the latest information on how to patch these vulnerabilities, and we encourage all customers to ensure their systems are updated with the most recent security updates."
SysAid has over 5,000 customers and more than 10 million users across 140 countries worldwide, serving a diverse range of clients, from small businesses to Fortune 500 enterprises, including high-profile companies such as Xerox, IKEA, Coca-Cola, Honda, Michelin, and Motorola.
Update July 24, 03:33 EDT: Added SysAid statement.
Ukraine arrests suspected admin of XSS Russian hacking forum
npm 'accidentally' removes Stylus package, breaks builds and pipelines
Free online web security scanner
