CISA has warned that attackers are actively exploiting two security vulnerabilities in the SysAid IT service management (ITSM) software to hijack administrator accounts.
The two unauthenticated XML External Entity (XXE) flaws, tracked as CVE-2025-2775 and CVE-2025-2776, were reported by watchTowr Labs security researchers in December 2024 and patched in March with the release of SysAid On-Prem version 24.4.60.
One month later, watchTowr Labs also published proof-of-concept code, showing that the SysAid vulnerabilities are trivial to exploit and allow attackers to retrieve local files containing sensitive information.
While CISA didn’t share any additional details regarding these ongoing attacks, it did add the two vulnerabilities to its Known Exploited Vulnerabilities Catalog, giving Federal Civilian Executive Branch (FCEB) agencies three weeks to patch their systems by August 12 as mandated by the November 2021 Binding Operational Directive (BOD) 22-01.
Although BOD 22-01 primarily targets U.S. federal agencies, the cybersecurity agency encourages all organizations, including private companies, to prioritize patching the two actively exploited flaws as soon as possible.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned.
SysAid On-Prem is hosted on customers’ infrastructure, enabling IT teams to manage various services within an organization. According to Shadowserver data, dozens of SysAid instances are currently exposed online, most of them from North America and Europe.
CISA has found no evidence that the two security flaws were exploited in ransomware attacks. However, the FIN11 financially motivated cybercrime group exploited a SysAid vulnerability (CVE-2023-47246) in 2023 to deploy Clop ransomware on compromised servers in zero-day attacks.
SysAid has over 5,000 customers and more than 10 million users across 140 countries worldwide, serving a diverse range of clients, from small businesses to Fortune 500 enterprises, including high-profile companies such as Xerox, IKEA, Coca-Cola, Honda, Michelin, and Motorola.
The company didn’t reply to a request for comment when BleepingComputer reached out earlier today.
Contain emerging threats in real time – before they impact your business.
Learn how cloud detection and response (CDR) gives security teams the edge they need in this practical, no-nonsense guide.