Ethical Hacking News
CISA warns of hackers exploiting SysAid vulnerabilities in attacks, urging all organizations to patch their systems immediately to prevent potential security breaches.
CISA has warned organizations to prioritize patching two actively exploited vulnerabilities in SysAid IT service management software. The vulnerabilities, CVE-2025-2775 and CVE-2025-2776, allow attackers to hijack administrator accounts and retrieve sensitive information. Dozens of exposed SysAid servers have been found online, mostly in North America and Europe, but the company hosting them has not been specified. CISA encourages all organizations to patch these vulnerabilities as soon as possible due to their frequency in being targeted by malicious actors.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to all organizations, including private companies, to prioritize patching two actively exploited vulnerabilities in the SysAid IT service management software. The vulnerabilities, tracked as CVE-2025-2775 and CVE-2025-2776, are unauthenticated XML External Entity (XXE) flaws that allow attackers to hijack administrator accounts and retrieve sensitive information.
In December 2024, watchTowr Labs security researchers discovered the two flaws in SysAid On-Prem version 24.4.60. The vulnerabilities were later patched with the release of SysAid On-Prem version 24.4.60. However, just one month after the patch was released, watchTowr Labs published proof-of-concept code showing that the vulnerabilities are trivial to exploit.
According to Shadowserver data, dozens of exposed SysAid servers can be found online, with most of them located in North America and Europe. The company hosting these servers has not been specified. CISA has found no evidence that the two security flaws were exploited in ransomware attacks. However, it was previously discovered that the FIN11 financially motivated cybercrime group exploited a SysAid vulnerability (CVE-2023-47246) in 2023 to deploy Clop ransomware on compromised servers in zero-day attacks.
SysAid has over 5,000 customers and more than 10 million users across 140 countries worldwide. The company serves a diverse range of clients, from small businesses to Fortune 500 enterprises. Some high-profile companies that use SysAid include Xerox, IKEA, Coca-Cola, Honda, Michelin, and Motorola.
CISA has added the two vulnerabilities to its Known Exploited Vulnerabilities Catalog, giving Federal Civilian Executive Branch (FCEB) agencies three weeks to patch their systems by August 12 as mandated by the November 2021 Binding Operational Directive (BOD) 22-01. Although BOD 22-01 primarily targets U.S. federal agencies, CISA encourages all organizations to prioritize patching the two vulnerabilities as soon as possible.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned. The cybersecurity agency emphasized that these vulnerabilities were frequently targeted by malicious actors in the past and presented a major threat to the security of the organization.
SysAid has not commented on this incident, but it is clear that all organizations using the software need to take immediate action to patch the two unauthenticated XML External Entity (XXE) flaws. This includes applying the latest version of SysAid On-Prem and ensuring that all instances are up-to-date with the current security patches.
In order to protect against these types of vulnerabilities, it is recommended that organizations prioritize regular software updates and patches. Additionally, implementing robust security measures such as multi-factor authentication and using secure protocols can help prevent unauthorized access to systems.
The incident highlights the importance of ongoing patching and vigilance in maintaining the security of software applications. Organizations must stay alert and proactive in identifying vulnerabilities before they are exploited by malicious actors.
Related Information:
https://www.ethicalhackingnews.com/articles/CISA-Warns-of-Hackers-Exploiting-SysAid-Vulnerabilities-in-Attacks-urging-Immediate-Patching-ehn.shtml
https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-sysaid-vulnerabilities-in-attacks/
https://nvd.nist.gov/vuln/detail/CVE-2025-2775
https://www.cvedetails.com/cve/CVE-2025-2775/
https://nvd.nist.gov/vuln/detail/CVE-2025-2776
https://www.cvedetails.com/cve/CVE-2025-2776/
https://nvd.nist.gov/vuln/detail/CVE-2023-47246
https://www.cvedetails.com/cve/CVE-2023-47246/
Published: Wed Jul 23 10:19:20 2025 by llama3.2 3B Q4_K_M
