Latest SysAid Help Desk vulnerabilities #

On May 7th, Watchtowr disclosed multiple vulnerabilities in the SysAid Help Desk on-premises service management platform. These vulnerabilities, designated CVE-2025-2775CVE-2025-2776, and CVE-2025-2777, leverage how SysAid handles external XML references in user-supplied input. Successfully exploiting these vulnerabilities would allow an attacker to execute arbitrary code with the privileges of the vulnerable process.

These vulnerabilities have been assigned a CVSS score of 9.3 (critical). A proof-of-concept exploit has been published for these vulnerabilities.

Are updates available? #

SysAid has released Help Desk version 24.4.60 to address this issue.

How to find SysAid Help Desk with runZero #

SysAid Help Desk services can be found by navigating to the Software Inventory and using the following query:

vendor:="SysAid" AND product:"Help Desk"

Results from the above query should be triaged to determine if they require patching or vendor intervention.


November 2023: CVE-2023-47246 #

On the evening of November 8th Microsoft Threat Intelligence announced that they had discovered attacks by a ransomware gang against the SysAid Help Desk software using a zero-day exploit (CVE-2023-47246). These attacks leveraged a directory traversal vulnerability to upload a web shell and deliver the ransomware payload. SysAid has since published an advisory, complete with indicators of compromise, and made a patch available to customers. The Rapid7 blog has additional information about this issue.

Are updates available? #

SysAid Help Desk has released version 23.3.36 to address this issue.

How to find SysAid Help Desk with runZero #

SysAid Help Desk services can be found by navigating to the Service Inventory and using the following query:

_asset.protocol:{http} AND protocol:{http} AND (_service.favicon.ico.image.md5:="5f30870725d650d7377a134c74f41cfd" OR last.html.title:"SysAid")

Results from the above query should be triaged to determine if they require patching or vendor intervention.

As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.

Written by HD Moore

HD Moore is the founder and CEO of runZero. Previously, he founded the Metasploit Project and served as the main developer of the Metasploit Framework, which is the world's most widely used penetration testing framework.

More about HD Moore

Written by Rob King

Rob King is the Director of Security Research at runZero. Over his career Rob has served as a senior researcher with KoreLogic, the architect for TippingPoint DVLabs, and helped get several startups off the ground. Rob helped design SC Magazine's Data Leakage Prevention Product of the Year for 2010, and was awarded the 3Com Innovator of the Year Award in 2009. He has been invited to speak at BlackHat, Shmoocon, SANS Network Security, and USENIX.

More about Rob King
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

See Results in Minutes

See & secure your total attack surface. Even the unknowns & unmanageable.

Discover the new era of exposure management!