Updates released recently by SysAid for its IT service management (ITSM) software patch vulnerabilities that can be chained for unauthenticated remote command execution.
Details of the vulnerabilities were disclosed on Wednesday by security firm WatchTowr. The company’s researchers discovered several XXE vulnerabilities that could be exploited by unauthenticated attackers using specially crafted requests.
They enable hackers to obtain local files containing sensitive information (including for full admin access to SysAid), access other systems on the network, and cause a DoS condition.
However, WatchTowr researchers were unable to achieve remote command execution until they noticed that the SysAid update containing fixes for their vulnerabilities also patched an authenticated OS command injection issue discovered by an unnamed individual.
An analysis of the patch for the command injection bug revealed that it could indeed be chained with one of their XXE flaws for unauthenticated remote command execution.
The XXE flaws are tracked as CVE-2025-2775, CVE-2025-2776 and CVE-2025-2777, while the OS command injection issue is tracked as CVE-2024-36394.
SysAid patched the vulnerabilities with the release of version 24.4.60 in early March. Versions 23.3.40 and earlier are impacted.
WatchTowr pointed out that the vulnerability disclosure did not go as smoothly as it had hoped, claiming that the vendor only responded once at the beginning of the process. SecurityWeek has reached out to SysAid for comment and will update this article if the company responds.
The Shadowserver Foundation reported on Wednesday that it had identified 77 internet-exposed SysAid instances that appeared to be unpatched.
WatchTowr has published a proof-of-concept (PoC) exploit that can be used for unauthenticated remote command execution.
It’s important that organizations address these vulnerabilities as threat actors targeting SysAid instances is not unheard of. In recent years, SysAid product vulnerabilities were targeted by both state-sponsored hackers and cybercrime groups.
SysAid says its ITSM products are used by 10 million users across 140 countries.
UPDATE: SysAid has provided the following statement to SecurityWeek:
“Customer security is always our top priority. We promptly addressed the issue and released a patch to resolve the vulnerability. We thank watchTowr for their responsible disclosure and detailed reporting of the vulnerabilities, and we appreciate the joint effort in treating security with the seriousness it deserves. Internally, we’re reviewing the case to further strengthen our processes and ensure we remain proactive in protecting our users.”
*updated to replace CVE-2025-2778 with CVE-2024-36394
Related: Halo ITSM Vulnerability Exposed Organizations to Remote Hacking
Related: Ivanti Patches Critical Vulnerabilities in Neurons for ITSM, Virtual Traffic Manager
Related: Android Update Patches FreeType Vulnerability Exploited as Zero-Day
