{"type":"rich","version":"1.0","provider_name":"Transistor","provider_url":"https://transistor.fm","author_name":"Daily Security Review","title":"New SysAid Vulnerabilities Added to CISA’s KEV List: XXE Flaws Could Enable RCE","html":"<iframe width=\"100%\" height=\"180\" frameborder=\"no\" scrolling=\"no\" seamless src=\"https://share.transistor.fm/e/c52ac1d2\"></iframe>","width":"100%","height":180,"duration":1570,"description":"Two newly added vulnerabilities in SysAid’s On-Prem IT support software — CVE-2025-2775 and CVE-2025-2776 — have officially joined the Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog, signaling increased concern around their potential abuse. While there are no confirmed reports of public exploitation or ransomware involvement to date, history suggests that SysAid products remain a viable target for threat actors.These flaws, discovered by watchTowr Labs in late 2024 and patched in early 2025, are XML External Entity (XXE) injection vulnerabilities that allow attackers to extract sensitive files and administrator credentials from vulnerable servers. When chained with a separate post-authentication command injection bug (CVE-2024-36394), they can lead to full remote code execution (RCE) as SYSTEM — an extremely dangerous scenario that effectively gives attackers unrestricted access to compromised servers.Though no active ransomware campaigns have yet exploited these specific flaws, CISA’s KEV designation highlights the need for urgent remediation — particularly given that SysAid products have been targeted before. In 2023, the Cl0p ransomware gang exploited a separate zero-day (CVE-2023-47246), using it to deploy malware across enterprise networks. That precedent, combined with the stealthy nature of XXE and RCE attacks, underscores why organizations must treat these vulnerabilities as critical.This episode explores how the vulnerabilities work, what makes them exploitable in real-world attack chains, and why CISA’s inclusion in the KEV catalog should be taken seriously — especially under Binding Operational Directive 22-01, which mandates federal agencies to patch affected systems by strict deadlines.We also dive into broader threat trends from CrowdStrike’s 2025 Global Threat Report: how attackers are increasingly going malware-free, leveraging AI, and moving at unprecedented speeds. With 79% of breaches no...","thumbnail_url":"https://img.transistorcdn.com/pL79_MJFeJHamQ_ztImsGmDSMdl27VMk_30TAkieujE/rs:fill:0:0:1/w:400/h:400/q:60/mb:500000/aHR0cHM6Ly9pbWct/dXBsb2FkLXByb2R1/Y3Rpb24udHJhbnNp/c3Rvci5mbS8yNzg5/ZjlhNzM5Y2M4Njli/NjkxNzgyODA2Nzhi/MDI2ZC5wbmc.webp","thumbnail_width":300,"thumbnail_height":300}