Unauthenticated XML External Entity Vulnerability in SysAid On-Prem Product
CVE-2025-2775
Key Information:
- Vendor
Sysaid
- Status
- Vendor
- CVE Published:
- 7 May 2025
Badges
What is CVE-2025-2775?
CVE-2025-2775 is an identified vulnerability located within the SysAid On-Prem product, specifically affecting versions up to and including 23.3.40. This vulnerability is categorized as an unauthenticated XML External Entity (XXE) issue, which stems from the way the system processes XML data during the Checkin functionality. The presence of this flaw allows attackers to exploit the application without needing authentication, which can lead to severe security ramifications. When successfully exploited, an attacker could seize control of administrative accounts and potentially gain unauthorized access to sensitive files, compromising the integrity and confidentiality of the organization’s data. The technical implications of this vulnerability highlight significant risks, as it not only opens the door to data exposure but could result in full administrative control, enabling further malicious actions within the system.
Potential impact of CVE-2025-2775
-
Administrator Account Takeover: The vulnerability allows attackers to gain unauthorized access to administrative accounts, enabling them to manipulate system settings and manage user accounts, which could lead to extensive damage within the organization.
-
Data Exposure and File Read Access: Through exploitation, attackers could leverage this vulnerability to read sensitive files from the server, risking the exposure of confidential information, intellectual property, or critical business data.
-
Increased Risk of Further Exploitation: The successful exploitation of this vulnerability may serve as a foothold for attackers, facilitating subsequent attacks that could spread to other systems, leading to broader network compromises or data breaches.
CISA has reported CVE-2025-2775
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-2775 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
SysAid On-Prem 0 <= 23.3.40
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
CISA Warns of SysAid Vulnerability Exploitation
CISA has added two recent SysAid flaws, CVE-2025-2776 and CVE-2025-2775, to its Known Exploited Vulnerabilities (KEV) catalog.
The Hacker NewsCISA Warns: SysAid Flaws Under Active Attack Enable Remote File Access and SSRF
SysAid bugs exploited in the wild; CISA mandates federal patching to stop potential admin takeovers.
Arctic WolfCVE-2025-2775CVE-2025-2775 | Arctic Wolf
watchTowr publicly disclosed technical details and a proof-of-concept exploit for a pre-authenticated Remote Code Execution chain affecting SysAid On-Premises, a self-hosted IT service management platform used by organizations to manage IT support tasks.
References
EPSS Score
51% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🦅
CISA Reported
- 💰
Used in Ransomware
- 📰
First article discovered by Arctic Wolf
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved