Unauthenticated XML External Entity Vulnerability in SysAid On-Prem Software
CVE-2025-2776

9.3CRITICAL

Key Information:

Vendor
Sysaid
Status
Sysaid On-prem
Vendor
CVE Published:
7 May 2025

Badges

👾 Exploit Exists

Summary

The SysAid On-Premitory software is susceptible to an unauthenticated XML External Entity (XXE) vulnerability. This weakness exists in the Server URL processing functionality, potentially allowing an attacker to exploit it and gain unauthorized access to sensitive data and systems. As a result, an attacker may achieve administrator account takeover and perform unauthorized file read operations, raising serious concerns for data integrity and security within affected versions.

Affected Version(s)

SysAid On-Prem 0 <= 23.3.40

References

https://documentation.sysaid.com/docs/24-40-60
vendor-advisory
https://labs.watchtowr.com/sysowned-your-friendly-rce-sup...
exploit

CVSS V3.1

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Sina Kheirkhah (@SinSinology)
Jake Knott
watchTowr
.