On May 7, 2025, watchTowr publicly disclosed technical details and a proof-of-concept (PoC) exploit for a pre-authenticated Remote Code Execution (RCE) chain affecting SysAid On-Premises, a self-hosted IT service management (ITSM) platform used by organizations to manage IT support tasks.
Although the vulnerabilities were patched in March 2025, they had not been assigned Common Vulnerabilities and Exposures (CVE) identifiers and were disclosed for the first time with watchTowr’s publication. Common Vulnerability Scoring System (CVSS) scores have not been assigned.
Given the low barrier to exploitation and the public availability of a PoC exploit, this vulnerability presents an attractive target for threat actors. In 2023, threat actors exploited a zero-day vulnerability in SysAid On-Premises to deploy Cl0p ransomware.
Vulnerabilities
Three of the vulnerabilities—CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777—are pre-authenticated XML External Entity (XXE) injection issues discovered by watchTowr. While they stem from the same underlying flaw in the application’s XML parsing logic, they are tracked separately. A remote, unauthenticated threat actor can exploit these vulnerabilities by sending specially crafted HTTP POST requests that cause the application to fetch and process external data from threat actor-controlled servers. The vulnerabilities can also be leveraged to extract a file created during installation that contains the main administrator’s clear-text password.
The fourth vulnerability, CVE-2025-2778, is a post-authentication command injection flaw discovered by an unknown party. It can be chained with the XXE vulnerabilities to achieve full remote code execution.
Recommendations for CVE-2025-2775
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| SysAid On-Premise | 23.3.40 and prior | 24.4.60 and later |
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
References
