The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two security flaws impacting SysAid IT support software to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The vulnerabilities in question are listed below –
- CVE-2025-2775 (CVSS score: 9.3) – An improper restriction of XML external entity (XXE) reference vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives
- CVE-2025-2776 (CVSS score: 9.3) – An improper restriction of XML external entity (XXE) reference vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives
Both shortcomings were disclosed by watchTowr Labs researchers Sina Kheirkhah and Jake Knott back in May, alongside CVE-2025-2777 (CVSS score: 9.3), a pre-authenticated XXE within the /lshw endpoint.
The three vulnerabilities were addressed by SysAid in the on-premise version 24.4.60 build 16 released in early March 2025.
The cybersecurity firm noted that the vulnerabilities could allow attackers to inject unsafe XML entities into the web application, resulting in a Server-Side Request Forgery (SSRF) attack, and in some cases, remote code execution when chained with CVE-2024-36394, a command injection flaw revealed by CyberArk last June.
It’s currently not known how CVE-2025-2775 and CVE-2025-2776 are being exploited in real-world attacks. Nor is any information available regarding the identity of the threat actors, their end goals, or the scale of these efforts.
To safeguard against the active threat, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by August 12, 2025.
