May 7, 2025 By Zeljka Zorz
WatchTowr researchers have released a proof-of-concept (PoC) exploit that chains two vulnerabilities in SysAid On-Prem – the self-hosted version of the platform behind SysAid’s popular IT service management and IT helpdesk solutions – to achieve unauthenticated remote code execution on the underlying server.
The vulnerabilities have been patched in SysAid On-Prem v24.4.60, released in early March 2025, but it’s likely that many enterprises have not upgraded yet.
Creating the PoC
“In an on-premise deployment, SysAid runs as a Windows Server–based application within your organization’s infrastructure. Think of the SysAid server as just another Windows box in your closet, except this one handles every IT ticket, asset record, and help-desk magic you throw at it,” WatchTowr researchers explained.
By probing the application for weaknesses, they uncovered three XML external entity injection vulnerabilities (CVE-2025-2775, CVE-2025-2776 and CVE-2025-2777).
