CISA Alerts: Hackers Exploiting SysAid Flaws in Active Attacks
▼ Summary
– CISA warns attackers are exploiting two unpatched XXE vulnerabilities (CVE-2025-2775 and CVE-2025-2776) in SysAid ITSM software to hijack administrator accounts.
– The vulnerabilities, reported in December 2024 and patched in March 2025, are trivial to exploit and allow access to sensitive local files, as shown by watchTowr Labs’ PoC code.
– CISA added the flaws to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to patch by August 12, while urging all organizations to prioritize updates.
– While no ransomware attacks using these flaws have been found, FIN11 previously exploited a SysAid vulnerability (CVE-2023-47246) in 2023 for Clop ransomware attacks.
– SysAid confirmed patching the vulnerabilities and encourages all customers to update their systems, serving over 5,000 clients globally, including major corporations like IKEA and Coca-Cola.
Federal cybersecurity officials have issued an urgent warning about active attacks targeting unpatched SysAid IT management systems. Hackers are exploiting critical vulnerabilities to gain unauthorized access to sensitive data and administrative controls, putting organizations at serious risk.
The two security flaws, identified as CVE-2025-2775 and CVE-2025-2776, involve XML External Entity (XXE) vulnerabilities that allow attackers to extract confidential files without authentication. Originally discovered by researchers in late 2024, these weaknesses were addressed in SysAid On-Prem version 24.4.60 released this March. However, proof-of-concept exploit code surfaced publicly in April, demonstrating how easily these flaws could be weaponized.
CISA has now added these vulnerabilities to its Known Exploited Vulnerabilities Catalog, requiring all federal agencies to apply patches by August 12 under Binding Operational Directive 22-01. While the mandate specifically applies to government systems, private sector organizations are strongly urged to follow suit given the active exploitation in the wild. “These vulnerabilities represent prime targets for malicious actors and create substantial security gaps,” the agency emphasized in its advisory.
SysAid’s on-premises software helps businesses streamline IT service management across their networks. Security monitoring indicates dozens of vulnerable instances remain exposed globally, with concentrations in North America and Europe. Though no ransomware campaigns have been linked to these specific flaws yet, cybercriminal groups like FIN11 previously weaponized similar SysAid vulnerabilities to deploy Clop ransomware during 2023 attacks.
The software vendor has confirmed the availability of fixes. “We’ve implemented comprehensive patches for these issues and continue working closely with CISA to ensure proper remediation,” a company representative stated. SysAid serves over 5,000 organizations worldwide, including major corporations like Coca-Cola, Honda, and IKEA, making widespread patching critical for preventing potential breaches.
Security teams should immediately inventory any SysAid deployments and prioritize updating to the latest secure version. With working exploit code publicly available and attacks already underway, delaying patches could leave systems vulnerable to data theft and network compromise. Proactive mitigation remains the most effective defense against these actively exploited vulnerabilities.
(Source: BLEEPINGCOMPUTER)
