Security researchers have disclosed a chain of critical vulnerabilities affecting SysAid ITSM’s On-Premise solution, enabling unauthenticated attackers to execute remote commands by exploiting several pre-auth XML External Entity (XXE) injection flaws.
The vulnerabilities, registered as CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777, highlight systemic risks in widely-used IT Service Management platforms.
SysAid ITSM On-Premise Plagued by Pre-Auth XXE Flaws
SysAid ITSM is a business-critical support ticketing and IT asset management platform, widely deployed in corporate environments.
.png
)
As per recent research by TowerLabs, attackers can exploit three distinct pre-auth XXE vulnerabilities on unpatched SysAid On-Premise deployments-potentially leading to Remote Command Execution (RCE) as the privileged SYSTEM user on Windows servers.
Vulnerability Breakdown
1. XXE in /mdm/checkin Endpoint (CVE-2025-2775):
A flaw in the GetMdmMessage#doPost handler allows unauthenticated POST requests containing malicious XML to be parsed without sanitization.
This triggers a classic XXE vulnerability, letting attackers leverage external entities-such as remote DTDs-to extract sensitive files and interact with internal services.
2. XXE in /mdm/serverurl Endpoint (CVE-2025-2776):
A second, nearly identical XXE exists in the same handler but for the /mdm/serverurl path, again allowing crafted XML payloads to trigger unauthenticated XXE.
3. XXE in /lshw Endpoint (CVE-2025-2777):
A third pre-auth XXE is present in the LshwAgent#doPost function. Here, user-supplied XML is handled by a SAX parser with no input validation, enabling attackers to inject arbitrary entities and escalate the attack.
While XXE vulnerabilities can sometimes be limited to file disclosure, in the case of SysAid ITSM, researchers demonstrated the ability to leak local files and probe internal network resources.
Despite recent mitigations in Java that hinder full file exfiltration, attackers can still extract single-line content or leverage error-based techniques for data leakage.
Given SysAid’s broad deployment and the sensitive nature of the data stored-including internal tickets, incidents, and asset inventories-these flaws represent a significant risk.
The remote, pre-auth nature of the attack lowers the barrier for exploitation and elevates the impact, particularly as ransomware gangs continually target such infrastructure for extortion and data theft.
The research team flagged the vulnerabilities to SysAid, who ultimately released patches after an extended communication period.
Organizations are urged to apply the latest security updates immediately, audit public-facing instances, and monitor for suspicious activity targeting the vulnerable endpoints.
This disclosure underscores the need for rigorous security assessments of business-critical platforms like ITSM solutions.
As attackers increasingly set their sights on such systems, maintaining up-to-date patching and vigilant monitoring remains essential in defending against modern cyber threats.
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
