SysAid AI Agents Security Risks

Business Process Agents sysaid.com Fortified Leaders
AI RISK QUADRANT POSITION DEFENSE CONTROLS (9) ATTACK SURFACE (5.62) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
6.76
Medium
Attack Surface
5.62
High
Blast Radius
5.87
High
Defense Controls
9
Medium
About The Agent

SysAid AI Agents is a cloud-hosted enterprise ITSM automation platform that runs multiple prebuilt and custom-built AI agents within a managed SaaS environment, with an optional on-premise deployment for regulated organizations. The same runtime drives identity management, device lifecycle operations, and ticket orchestration through direct Microsoft Graph API integrations holding broad delegated permissions including directory write and device wipe capabilities. The key risk surface is the combination of untrusted end-user input channels feeding agents that hold production write access to identity infrastructure and device management endpoints.

About the AI Risk Quadrant

Fortified Leaders characterizes agents with moderate attack surface exposure paired with elevated blast radius and defense controls that rely on administrator-configured governance rather than architectural enforcement. SysAid AI Agents lands here because tool execution and external data ingestion channels carry critical vulnerability evidence driving the attack surface upward, while broad credential delegations and default network egress to external services elevate the blast radius, offset by vendor-documented controls across all five defense components at the vendor-documentation confidence tier.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. The dominant risk shape is concentrated credential and action authority delegated to agents whose input channels have demonstrated pre-authentication bypass and whose output filtering lacks independent adversarial validation.

Key Input Risks
End-user chatbot messages, inbound service tickets, and email-triggered requests feed the AI agent reasoning loop with content authored by parties outside the operator's trust boundary. Operators should restrict email-triggered agent execution to trusted sender domains and validate the regex-based prompt injection layer against adversarial payloads, as the on-premise XXE chain confirmed untrusted inputs reach deep processing without authentication. [1][8]
Key Execution Risks
The agent builder generates automation code from natural language and the runtime executes tool actions against production directory and device management endpoints. Post-authentication command injection demonstrated arbitrary OS command execution, and the on-premise path traversal enabled webroot-level code execution exploited for ransomware deployment. [3][4][6][7]
Key Action Risks
AI agents execute device wipes via delegated Graph API permissions, modify directory group memberships, and assign licenses with write-level access to the operator's identity infrastructure. Operators should enable human-in-the-loop approval for all destructive actions immediately, as per-action confirmation is opt-in rather than default-enforced for autonomous operations. [11][12]
Key Output Risks
The default configuration applies schema validation, deny-list filtering, and PII masking to agent outputs before they reach downstream consumers. No independent assessment of these controls against prompt-driven exfiltration has been published, and agents route responses to external messaging and identity services by default. [8][9]
Key Monitoring Risks
Immutable timestamped logs, a monitoring dashboard, and per-action tracing provide observability into agent operations on the default configuration. No documented anomaly detection or real-time alerting on suspicious agent behavior patterns exists beyond the audit trail, leaving adversarial manipulation detection to the operator. [9][10]

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. SysAid AI Agents presents a moderate composite risk driven by concentrated tool execution and credential exposure offset by vendor-documented defense controls across all five components.

AIRQ Metrics

The agent's attack surface, blast radius, and defense controls place it in the Fortified Leaders quadrant — operators inherit production identity write access and external egress by default, partially offset by vendor-documented approval gates and monitoring.

Each axis measures a distinct dimension of the agent's risk posture: attack surface and blast radius are scored out of ten, defense controls out of fifteen, and the AIRQ composite normalizes across all three.

Metric Score Comments
AIRQ Score 6.76 Moderate composite indicates that vendor-documented defenses partially offset the concentrated tool execution and credential exposure, but gaps in output filtering and independent validation leave residual risk.
Blast Radius 5.87 / 10 Directory.ReadWrite.All and Intune device-wipe permissions combined with default outbound HTTPS to inference and messaging services concentrate the blast radius on identity infrastructure compromise.
Attack Surface 5.62 / 10 Tool execution and external data ingestion carry critical CVE evidence driving the surface upward, and all three trifecta conditions are met on the default configuration.
Defense Controls 9 / 15 Vendor-documented controls exist across all five components at the vendor-documentation confidence tier, but no third-party adversarial evaluation has confirmed their effectiveness against targeted attack scenarios.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. The dominant exposures are concentrated on tool execution and external data ingestion where critical pre-authentication vulnerabilities have been demonstrated, while remaining surfaces carry base-band scores grounded in the documented architecture.

Attack Surface Metrics

Surfaces with evidence penalties reflect confirmed vulnerabilities filed against the product; surfaces without penalties are scored on documented architectural exposure alone.

Each row scores the entry point's exploitability from the documented default configuration, with penalties applied where agent-specific vulnerability evidence confirms the theoretical exposure.

Surface Score Comments
User Input 2 / 4 End-user chatbot and ticket-based input channels with documented regex prompt injection detection and moderation API integration provide a first-pass filter, though no independent adversarial testing has validated effectiveness against targeted prompt injection payloads delivered through service requests. [8][9]
External Data 4 / 4 Ingests data from external API integrations and email channels; pre-authentication XXE (CVE-2025-2775, CVSS 9.8) confirmed that unauthenticated XML payloads reach deep processing pipelines enabling admin-level credential extraction and arbitrary file read without requiring any prior session context. [1][5][6][13]
Memory 2 / 4 Organization-specific knowledge persists in the Data Pool stored exclusively within the customer's database with cross-session retention; no documented integrity verification or poisoning detection exists for stored context that agents load at execution time. [8]
Reasoning 2 / 4 Multi-model inference via commercial large language models processes prompts without a publicly disclosed adversarial evaluation or independent red-team assessment of the reasoning loop against injection and jailbreak techniques. [8]
Planning 2 / 4 The agent builder enables multi-step workflow orchestration with scheduled and trigger-based execution patterns; planning logic operates within admin-configured action scopes without a documented runtime constraint on plan complexity or resource consumption. [9]
Tool Execution 5 / 4 Code generation from natural language and device management via delegated Graph API permissions; path traversal (CVE-2023-47246, CVSS 9.8) demonstrated webroot-level code execution exploited in-the-wild for ransomware deployment, and post-authentication command injection (CVE-2024-36394) confirmed arbitrary OS command execution through the management interface. [3][4][6][7]
Orchestration 2 / 4 Multiple prebuilt and custom agents with scheduled recurring execution; no documented inter-agent isolation boundary or orchestration-layer access control prevents one agent's compromised context from influencing another agent's execution scope within the same tenant. [9]
Inter-Agent 1 / 4 No documented agent-to-agent messaging, delegation, or shared context protocol exists; each agent operates independently within its configured scope, limiting the inter-agent attack surface to the shared tenant data layer rather than direct communication channels. [8]
Output Processing 2 / 4 Outbound content flows through deny-list and schema checks with PII redaction before reaching messaging platforms and identity management endpoints; no dedicated data-loss prevention layer inspects agent-generated payloads for prompt-driven exfiltration patterns in the default configuration. [8][9]
Configuration 4 / 4 Pre-authentication XXE chain (CVE-2025-2776, CVSS 9.8) in the Server URL processing endpoint bypassed all authentication controls to achieve admin account takeover and arbitrary file read; CISA added this to the Known Exploited Vulnerabilities catalog with confirmed active exploitation in the wild. [2][6][13]

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. SysAid AI Agents exhibits all three on the documented default: a single injected instruction in a service ticket can read production directory data and exfiltrate it through the agent's default outbound channels to inference providers, messaging platforms, and Graph API endpoints without crossing any system-level control.

Lethal Trifecta · Complete (3 of 3)

SysAid AI Agents exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — End-user chatbot messages, inbound service tickets, and email content constitute attacker-controllable bytes that reach the agent reasoning loop on the documented default configuration; the pre-authentication XXE chain confirms that untrusted payloads bypass authentication boundaries entirely. [1][8]
  • Sensitive data — Agents access ITSM records, Azure AD user and group data, Microsoft 365 license assignments, Outlook calendars, and Intune-managed device inventories through delegated permissions including Directory.ReadWrite.All and User.ReadWrite.All. [11][12]
  • External egress — Default outbound channels include HTTPS to external inference providers, messaging integrations to collaboration platforms, and Graph API writes to identity and device management endpoints — all transmitting agent-processed content outside the operator's trust boundary without a dedicated exfiltration barrier. [8][9]

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. The blast radius is concentrated on credential and network exposure where broad Microsoft Graph API delegations grant production write access to directory infrastructure and default egress routes reach multiple external services.

Blast Radius Metrics

Factors scoring at the upper bands reflect documented production-scope access that an attacker gains upon compromising the agent's execution context or credential store.

Each factor measures the worst-case impact an attacker achieves by compromising the agent's execution context, scored on the documented default permission set and integration scope.

Factor Score Comments
Code execution 2 / 4 The agent builder generates and executes automation code within ephemeral containers for the cloud deployment; the on-premise variant runs within the Tomcat application server context where path traversal demonstrated webroot-level code execution capability. [3][7][14]
File system access 2 / 4 Cloud deployment restricts file access to ephemeral container scope with no persistent host filesystem exposure documented; the on-premise path traversal demonstrated arbitrary file write to the Tomcat webroot and WAR archive deployment capability. [3][14]
Network access 3 / 4 Default outbound HTTPS to inference providers, messaging integrations, and Graph API endpoints with no documented network egress restrictions beyond transport-layer encryption; agents communicate externally as part of normal operation. [8][11]
Credential access 3 / 4 Directory.ReadWrite.All and User.ReadWrite.All Microsoft Graph API permissions grant production write access to the operator's identity infrastructure; Intune integration holds device wipe capability; pre-authentication XXE achieved admin credential extraction from the management server. [1][12]
Autonomous action 2 / 4 Agents execute pre-approved ITSM actions including ticket management, license assignment, and device lifecycle operations within admin-configured scopes; per-action human approval is available as opt-in configuration rather than a default-enforced gate. [9][11]
Deployment access 2 / 4 The agent builder deploys new automation agents after admin approval and testing gates; no documented capability to modify host infrastructure, CI/CD pipelines, or production deployment configurations beyond the ITSM automation scope. [9]

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. Vendor documentation describes controls across all five defense components with default-on posture for the cloud deployment, but independent adversarial testing has not validated their effectiveness and the on-premise variant lacks equivalent architectural isolation.

Defense Controls Metrics

All scores reflect vendor-documented controls at the vendor-documentation confidence tier where the control's existence is attested by published documentation rather than independent third-party verification.

Each component is scored inversely so that higher values indicate stronger defenses, measuring the vendor-documented default posture against the specific attack patterns identified in the preceding sections.

Component Score Comments
Input Guardrails 2 / 3 Regex prompt injection detection, moderation API integration, role-based prompt templates, and zero-shot structural validation documented as default-on for the cloud deployment; no independent adversarial evaluation or published bypass testing against the AI-specific input path. [8][9]
Execution Isolation 2 / 3 Ephemeral containers with temporary credentials and fine-grained IAM for the cloud tier; the on-premise deployment runs within a shared Tomcat application server context where critical path traversal has been exploited for code execution. [8][3]
Action Controls 2 / 3 Admin approval gates agent deployment and RBAC scopes each agent to predefined actions; human-in-the-loop review is configurable but individual high-impact operations like device wipe execute within pre-approved scopes without a per-invocation confirmation step. [9][8]
Output Guardrails 1 / 3 Deny-list filtering and response-shape validation with redaction of sensitive patterns documented as default-on; no outbound data-loss prevention mechanism guards against adversarially crafted exfiltration through the external communication channels the agent uses by default. [8]
Monitoring 2 / 3 Immutable timestamped audit logs with structured JSON format, monitoring dashboard, and per-action tracing documented as default-on — logs are SIEM-exportable but no built-in anomaly detection or automated alerting triggers on suspicious patterns. [9][10]

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Operators can layer independent prompt injection detection, minimize Graph API permission scopes, enforce per-action human approval for destructive operations, and integrate agent telemetry with SIEM platforms to close the documented gaps.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require independent adversarial testing of the prompt injection detection pipeline before deploying agents that process end-user-authored content — counters unvalidated vendor-documented regex filtering on chatbot and ticket input channels.
  • Configuration Restrict AI Connections input sources to an explicit allowlist of trusted external systems and disable email-triggered agent execution for untrusted sender domains — counters broad external data ingestion where content authenticity cannot be verified.
  • Engineering Deploy a dedicated ML-based prompt injection classifier in front of the agent processing pipeline — counters the reliance on pattern-matching detection that sophisticated adversarial inputs can evade.

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Prohibit on-premise deployment for new agent workloads and migrate existing on-premise instances to the cloud-hosted SaaS tier where ephemeral Lambda isolation is architecturally enforced — counters the shared Tomcat execution context that enabled webroot-level code execution via path traversal.
  • Configuration Enforce network segmentation between the agent runtime and production databases or identity infrastructure — counters lateral movement from a compromised execution context reaching privileged endpoints.
  • Engineering Audit Lambda execution policies quarterly to verify temporary credential scopes have not drifted beyond minimum required permissions — counters credential scope creep in the cloud deployment.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Enable human-in-the-loop approval for all destructive actions including device wipe, license removal, and user account modification rather than relying on pre-approved scopes alone — counters autonomous execution of high-impact operations without per-action validation.
  • Configuration Implement a separate dual-administrator approval workflow for Intune device wipe operations — counters single-point-of-failure in the approval chain for irreversible device management actions.
  • Engineering Replace Directory.ReadWrite.All with granular per-resource Graph API delegations scoped to the specific automation need — counters excessive standing privilege that outlives the configured agent task.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Deploy a data-loss prevention proxy between agent output channels and external services — counters prompt-driven exfiltration of sensitive ITSM data through default messaging and Graph API egress channels.
  • Configuration Configure rate limiting on outbound agent communications per session to detect and throttle bulk data extraction attempts — counters high-frequency exfiltration through repeated message generation.
  • Engineering Implement output content scanning for credential patterns, API keys, and internal hostnames before agent responses reach end-user channels — counters accidental or adversarially induced information disclosure.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Configure real-time alerting on anomalous agent behavior patterns such as unusual Graph API call volume or unexpected device management actions — counters the absence of documented automated anomaly detection.
  • Configuration Integrate AI agent audit logs with the organization's SIEM for correlation with identity and endpoint security signals — counters siloed visibility where agent actions are logged but not correlated with broader threat detection.
  • Engineering Establish per-agent baselines on Graph API call volume, device management action frequency, and license modification rate, alerting when any metric exceeds two standard deviations from the rolling weekly norm — counters adversarial manipulation that stays within approval scopes but exhibits anomalous aggregate patterns.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. CVE-2025-2775 Pre-auth XXE via Checkin endpoint in SysAid On-Prem (CVSS 9.8) yielding admin credential extraction and arbitrary file read. Patched in v24.4.60. CISA KEV with confirmed active exploitation.
  2. CVE-2025-2776 Pre-auth XXE via Server URL endpoint in SysAid On-Prem (CVSS 9.8) permitting unauthenticated admin session hijacking and sensitive file disclosure. Patched in v24.4.60. CISA KEV.
  3. CVE-2023-47246 Path traversal in SysAid On-Prem leading to code execution via Tomcat webroot write (CVSS 9.8). Exploited in-the-wild by Cl0p ransomware group. CISA KEV.
  4. CVE-2024-36394 Post-authentication OS command injection via javaLocation parameter in SysAid On-Prem enabling arbitrary command execution on the underlying host. Patched in v24.4.60.
  5. CVE-2025-2777 Pre-auth XXE in the hardware inventory service of SysAid On-Prem enabling unauthenticated enumeration of managed device serial numbers, host configurations, and network topology data. Patched in v24.4.60.

Selected Research

  1. SysOwned — SysAid On-Premise Pre-Auth RCE Chain watchTowr Labs technical writeup demonstrating full pre-auth RCE chain against SysAid On-Prem via XXE to admin credential theft to command injection with published PoC exploit.
  2. SysAid Zero-Day Vulnerability Exploited By Lace Tempest Rapid7 emergency threat response documenting CVE-2023-47246 exploitation by Cl0p ransomware via WAR file upload, WebShell deployment, and GraceWire trojan injection.

Vendor Documentation

  1. SysAid AI Security and Trust Overview Vendor documentation of prompt injection mitigations, RBAC, ephemeral Lambda execution, agent governance framework, data handling controls, and output guardrails.
  2. SysAid AI Security and Governance Vendor security page documenting admin approval workflows, human-in-the-loop option, audit logging, LLM model choices, and compliance certifications.
  3. SysAid Data Security Vendor data security documentation covering SOC 2 Type II, ISO 27001 and ISO 27017 certifications, AES-256 encryption at rest, TLS in transit, and AWS hosting.
  4. Connecting Microsoft Intune Graph API to the SysAid AI Agent Builder Vendor integration guide documenting device management actions including list, update, delete, and wipe managed devices via Microsoft Graph API permissions.
  5. Connecting Microsoft License Management to SysAid AI Agent Builder Vendor integration guide showing Directory.ReadWrite.All and User.ReadWrite.All permissions granted to agent for license assignment automation.

Other Sources

  1. PoC exploit for SysAid pre-auth RCE released Help Net Security reporting on watchTowr PoC release and confirming CISA KEV addition with active exploitation of CVE-2025-2775 and CVE-2025-2776.
  2. CVE-2023-47246 Vulnerability Notification SysAid vendor advisory for CVE-2023-47246 with Profero incident response findings, indicators of compromise, and detailed attack chain documentation.