Two newly added vulnerabilities in SysAid’s On-Prem IT support software — CVE-2025-2775 and CVE-2025-2776 — have officially joined the Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog, signaling increased concern around their potential abuse. While there are no confirmed reports of public exploitation or ransomware involvement to date, history suggests that SysAid products remain a viable target for threat actors.
These flaws, discovered by watchTowr Labs in late 2024 and patched in early 2025, are XML External Entity (XXE) injection vulnerabilities that allow attackers to extract sensitive files and administrator credentials from vulnerable servers. When chained with a separate post-authentication command injection bug (CVE-2024-36394), they can lead to full remote code execution (RCE) as SYSTEM — an extremely dangerous scenario that effectively gives attackers unrestricted access to compromised servers.
Though no active ransomware campaigns have yet exploited these specific flaws, CISA’s KEV designation highlights the need for urgent remediation — particularly given that SysAid products have been targeted before. In 2023, the Cl0p ransomware gang exploited a separate zero-day (CVE-2023-47246), using it to deploy malware across enterprise networks. That precedent, combined with the stealthy nature of XXE and RCE attacks, underscores why organizations must treat these vulnerabilities as critical.
This episode explores how the vulnerabilities work, what makes them exploitable in real-world attack chains, and why CISA’s inclusion in the KEV catalog should be taken seriously — especially under Binding Operational Directive 22-01, which mandates federal agencies to patch affected systems by strict deadlines.
We also dive into broader threat trends from CrowdStrike’s 2025 Global Threat Report: how attackers are increasingly going malware-free, leveraging AI, and moving at unprecedented speeds. With 79% of breaches no longer relying on malware and a 442% rise in vishing attacks, defenders must prepare for identity-based intrusions and rapidly evolving social engineering.
We wrap with actionable guidance: patch to SysAid version 24.4.60 or higher, conduct compromise assessments, disable external XML entity parsing, and strengthen access controls and monitoring to reduce lateral movement risk. Even if these vulnerabilities haven’t yet been publicly exploited, waiting for proof-of-exploit is no longer an option in today’s threat landscape.
#SysAid #CVE20252775 #CVE20252776 #CISAKEV #XXEVulnerability #RemoteCodeExecution #RCE #KEVCatalog #WatchTowrLabs #CISAWarning #Cybersecurity #PatchNow #CommandInjection #Infosec #ITSupportSecurity #Cl0pRansomware #SysAidSecurity #XMLInjection #CrowdStrike2025 #CyberThreats #BindingDirective #IdentitySecurity #AdminTakeover #ThreatIntelligence
