In a critical development for IT and security professionals, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding two severe vulnerabilities affecting SysAid IT support software. These flaws, now added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, are under active attack, enabling malicious actors to achieve remote file access and Server-Side Request Forgery (SSRF) capabilities. This advisory underscores the immediate need for organizations leveraging SysAid to assess their posture and implement protective measures.

CISA’s Urgent Warning: SysAid Flaws Under Active Exploitation

CISA’s inclusion of CVE-2025-2775 and CVE-2025-2776 in its KEV catalog signals a significant threat. The KEV program highlights vulnerabilities that have been observed in active exploitation, demanding rapid remediation across federal agencies and strongly recommended for all organizations. The proven exploitation of these SysAid vulnerabilities means that unpatched systems are direct targets, highly susceptible to compromise.

Understanding the SysAid Vulnerabilities

The two vulnerabilities identified are:

• CVE-2025-2775 (CVSS score: 9.3): This is an Improper Restriction of XML External Entity (XXE) Reference vulnerability. XXE vulnerabilities occur when an XML parser processes XML input containing references to external entities, which can then be used to disclose internal files, execute remote code, or perform denial-of-service attacks. A CVSS score of 9.3 signifies a critical vulnerability with a high likelihood of exploitation and significant impact. In this context, it facilitates unauthorized remote file access.
• CVE-2025-2776 (CVSS score: 7.9): This flaw involves a Server-Side Request Forgery (SSRF) vulnerability. SSRF allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing. This can lead to information disclosure, port scanning of internal networks, or even interaction with internal services that are not directly exposed to the internet.

The combination of these two vulnerabilities presents a potent attack vector, enabling threat actors to gain a foothold, extract sensitive data, and potentially pivot deeper into an organization’s network.

Impact of Exploitation

The successful exploitation of these SysAid vulnerabilities can have severe consequences, including but not limited to:

• Remote File Access: Attackers can read sensitive files from the compromised server, potentially leading to the theft of confidential data, credentials, or configuration files.
• Data Exfiltration: Exfiltrated data can range from customer records and intellectual property to internal operational data, leading to regulatory fines, reputational damage, and competitive disadvantage.
• Network Reconnaissance: The SSRF vulnerability enables attackers to perform internal network scanning, mapping out infrastructure and identifying other vulnerable systems.
• Further Compromise: Gaining remote file access or leveraging SSRF can be a stepping stone for more advanced attacks, such as arbitrary code execution, privilege escalation, or lateral movement within the network.
• Disruption of IT Operations: Compromise of IT support software can disrupt critical business functions and lead to service outages.

Remediation Actions

Organizations using SysAid IT support software must take immediate action to mitigate the risk posed by these actively exploited vulnerabilities:

• Patch Immediately: The most critical step is to apply the latest security updates provided by SysAid. Organizations should prioritize patching any SysAid installations exposed to the internet. Refer to official SysAid communications for the specific versions addressing these CVEs.
• Isolate and Segment: Ensure your SysAid infrastructure is properly isolated from other critical systems. Implement network segmentation to limit lateral movement if a compromise occurs.
• Implement Strong Network Security Controls:
  • Web Application Firewall (WAF): Deploy and configure a WAF to detect and block malicious requests targeting XXE and SSRF vulnerabilities.
  • Intrusion Detection/Prevention Systems (IDS/IPS): Ensure IDS/IPS systems are updated with the latest signatures to detect exploitation attempts.
  • Principle of Least Privilege: Restrict network access to the SysAid server to only necessary ports and IP addresses.
• Review Logs and Monitor for Anomalies:
  • Actively monitor SysAid logs, network traffic, and system behavior for any signs of compromise or unusual activity, such as unauthorized file access, outbound connections to unusual destinations, or unexplained errors.
  • Implement robust logging and integrate with a Security Information and Event Management (SIEM) system for centralized analysis and alerting.
• Conduct Vulnerability Scans and Penetration Tests: Regularly scan your environment for vulnerabilities and conduct penetration tests to identify potential weaknesses before attackers do.
• Incident Response Plan Activation: Review and be prepared to activate your incident response plan if an exploitation is detected.

Vulnerability Management Tools

Effective vulnerability management requires reliable tools. Here are some categories of tools that can assist in identifying and mitigating such threats:

Tool Name	Purpose	Link
Nessus	Vulnerability Scanning and Assessment	https://www.tenable.com/products/nessus
OpenVAS	Open-source Vulnerability Scanner	http://www.openvas.org/
Burp Suite Professional	Web Vulnerability Scanning and Penetration Testing	https://portswigger.net/burp/pro
OWASP ZAP	Free and Open-Source Web Application Security Scanner	https://www.zaproxy.org/
Imperva WAF	Web Application Firewall for Protection	https://www.imperva.com/products/web-application-firewall-waf/

Conclusion

CISA’s alert on the actively exploited SysAid vulnerabilities (CVE-2025-2775 and CVE-2025-2776) is a clear call to action for all organizations utilizing the software. The potential for remote file access and SSRF capabilities underscore the critical need for immediate patching and a strengthened security posture. Proactive vulnerability management, robust security controls, and vigilant monitoring are essential to protect against these and future threats. Prioritizing these actions will significantly reduce exposure and safeguard organizational assets.