The U.S. Cybersecurity and Infrastructure Safety Company (CISA) added two safety flaws impacting SysAid IT assist software program to its Identified Exploited Vulnerabilities (KEV) catalog, based mostly on proof of lively exploitation.
The vulnerabilities in query are listed beneath –
- CVE-2025-2775 (CVSS rating: 9.3) – An improper restriction of XML exterior entity (XXE) reference vulnerability within the Checkin processing performance, permitting for administrator account takeover and file learn primitives
- CVE-2025-2776 (CVSS rating: 9.3) – An improper restriction of XML exterior entity (XXE) reference vulnerability within the Server URL processing performance, permitting for administrator account takeover and file learn primitives
Each shortcomings had been disclosed by watchTowr Labs researchers Sina Kheirkhah and Jake Knott again in Could, alongside CVE-2025-2777 (CVSS rating: 9.3), a pre-authenticated XXE inside the /lshw endpoint.
The three vulnerabilities had been addressed by SysAid within the on-premise model 24.4.60 construct 16 launched in early March 2025.
The cybersecurity agency famous that the vulnerabilities may permit attackers to inject unsafe XML entities into the online software, leading to a Server-Facet Request Forgery (SSRF) assault, and in some instances, distant code execution when chained with CVE-2024-36394, a command injection flaw revealed by CyberArk final June.
It is at the moment not recognized how CVE-2025-2775 and CVE-2025-2776 are being exploited in real-world assaults. Neither is any info accessible relating to the id of the risk actors, their finish objectives, or the size of those efforts.
To safeguard in opposition to the lively risk, Federal Civilian Government Department (FCEB) businesses are required to use the required fixes by August 12, 2025.
