CISA on Tuesday added two recently patched SysAid On-Prem flaws to its Known Exploited Vulnerabilities (KEV) catalog.
The vulnerabilities, tracked as CVE-2025-2776 and CVE-2025-2775, were patched in early March, when SysAid released version 24.4.60 of its IT service management (ITSM) software.
The security holes, described as XXE issues, were discovered in December 2024 by security firm WatchTowr, which disclosed their details and published PoC exploit code in May 2025.
WatchTowr warned at the time that the flaws could be chained with CVE-2024-36394, an OS command injection issue previously discovered by another researcher, for unauthenticated remote command execution.
SysAid’s ITSM products are used by 10 million users around the world, according to the vendor, but at the time of disclosure the Shadowserver Foundation identified only 77 vulnerable instances that had been exposed to the internet.
There do not appear to be any public reports describing exploitation of CVE-2025-2776 and CVE-2025-2775.
Interestingly, CVE-2025-2776 and CVE-2025-2775 are similar pre-authentication XXE vulnerabilities, and CVE-2024-36394, which was used in WatchTowr’s exploit chain for unauthenticated remote command execution, has not been added to CISA’s KEV.
SecurityWeek has reached out to WatchTowr and SysAid for clarifications and confirmation of the attacks and will update this article if they respond.
CISA’s KEV entry indicates that the vulnerabilities have not been leveraged in ransomware attacks.
However, ransomware groups exploiting SysAid product vulnerabilities is not unheard of. In 2023, affiliates of the Cl0p ransomware operation had been observed exploiting a zero-day tracked as CVE-2023-47246.
UPDATE: WatchTowr told SecurityWeek that it does not have any insight into why CISA made the decision to add the CVEs to its KEV catalog.
SysAid has provided the following statement:
We would like to clarify that the inclusion of these vulnerabilities in the KEV catalog does not necessarily indicate that they are currently being exploited or that they represent new vulnerabilities. According to CISA, any vulnerability can be added to the KEV catalog when there is documented reporting of active exploitation at any point in time. This means that the addition of these CVEs serves to raise awareness of their existence and the importance of applying necessary patches.
At SysAid, we take security very seriously and would like to assure our users that we have addressed and mitigated these vulnerabilities through appropriate patches. We have also provided CISA with the latest information on how to patch these vulnerabilities, and we encourage all customers to ensure their systems are updated with the most recent security updates.
For additional context, we recommend referring to the FAQ section on the BOD 22-01 website, which explains the purpose of the KEV catalog. It is designed to promote proactive management of vulnerabilities and to encourage prompt patching practices to enhance overall cybersecurity.
Related: Microsoft Says Chinese APTs Exploited ToolShell Zero-Days Weeks Before Patch
Related: Exploited CrushFTP Zero-Day Provides Admin Access to Servers
Related: Fortinet FortiWeb Flaw Exploited in the Wild After PoC Publication
