CVE-2025-2775

On May 7, 2025, watchTowr published technical details and a public PoC for pre-authenticated XXE vulnerabilities (CVE-2025-2775/2776/2777) and a post-authentication command injection (CVE-2025-2778) in SysAid On-Premises that can be chained to achieve remote code execution and extract the main administrator’s clear-text password; fixes are available in SysAid 24.4.60 and later, and the report notes prior exploitation (Cl0p ransomware) of a SysAid zero-day in 2023.