Based on evidence of active exploitation, the US Cybersecurity and Infrastructure Security Agency (CISA) has added two security flaws that affect Sysaid IT support software to its known exploited vulnerabilities (KEV) catalog.
The vulnerabilities in question are listed below –
CVE-2025-2775 (CVSS score: 9.3) – Reference vulnerability in the XML external entity incorrect limit (XXE) check-in processing feature. Functionality to allow administrator account takeover and file read primitives
Both drawbacks were revealed in May by CVE-2025-2777 (CVSS score: 9.3), an XXE within the /LSHW endpoint, along with CVE-2025-2777 (CVSS score: 9.3), along with CVE-2025-2777 (CVSS score: 9.3).
The three vulnerabilities were addressed by Sysaid in on-premises version 24.4.60 build 16, released in early March 2025.
Cybersecurity companies said the vulnerability allows attackers to insert unsafe XML entities into web applications, and it was revealed in June last year that remote code execution was revealed when it led to server-side request forgery (SSRF) attacks, which in some cases chained with CVE-2024-36394.
It is currently unknown how CVE-2025-2775 and CVE-2025-2776 are exploited in actual attacks. Nor are information available regarding the identity of the threat actor, its ultimate goals, or the scale of these efforts.
A Federal Civil Enforcement Division (FCEB) agency is required to apply the necessary modifications by August 12, 2025 to prevent aggressive threats.
Source link
