Cybersecurity research firm watchTowr has disclosed multiple critical vulnerabilities in SysAid's on-premises IT Service Management (ITSM) solution, which could allow attackers to gain unauthorized remote command execution with SYSTEM privileges.
The vulnerabilities affect SysAid On-Premise versions 23.3.40 and earlier, with the research focusing on a chain of exploits combining three XML External Entity (XXE) injection vulnerabilities (CVE-2025-2775, CVE-2025-2776, CVE-2025-2777) with a post-authentication OS command injection vulnerability (CVE-2025-2778).
According to watchTowr, attackers could exploit these vulnerabilities to achieve pre-authentication remote command execution through a well-crafted attack chain. The process begins with exploiting XXE vulnerabilities in the /mdm/checkin, /mdm/serverurl, or /lshw endpoints, which allows attackers to extract the administrator's plaintext password from an installation file that remains on the system after setup.
"This file is created during installation by SysAid and contains the clear-text password of the main administrator in its first line," the researchers noted, referring to the InitAccount.cmd file stored in the SysAid logs directory.
Once administrative access is obtained, attackers can then use the command injection vulnerability in the API settings functionality to execute arbitrary commands with SYSTEM privileges. The vulnerability stems from insufficient input validation of the javaLocation parameter, which is directly incorporated into script files executed by the system.
The researchers demonstrated a complete exploitation chain where they first extracted administrator credentials via XXE, logged into the application, and then injected malicious commands that would execute when the API update script runs.
SysAid has addressed these vulnerabilities in version 24.4.60. The company has previously been targeted by ransomware groups due to its position as a business-critical application that often contains sensitive organizational data.
Organizations using SysAid On-Premise are urged to update to the latest version immediately to mitigate these risks.