CVE-2025-2775
SysAid On-Prem <= 23.3.40 Checkin Proceessing XML External Entity Injection
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- March 24, 2025
- Published Date
- May 07, 2025
- Last Updated
- May 08, 2025
- Vendor
- SysAid
- Product
- SysAid On-Prem
- Description
- SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.
- Tags
- Score
- 15.13% (Percentile: 94.26%) as of 2025-07-17
- Exploitation
- poc
- Automatable
- Yes
- Technical Impact
- partial
- Exploited in the Wild
- Yes (2025-06-24 00:00:00 UTC) Source
nuclei_scanner
CVSS Scores
CVSS v3.1
9.3 - CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
EPSS Score
SSVC Information
Exploit Status
References
Known Exploited Vulnerability Information
Source | Added Date |
---|---|
The Shadowserver (via CIRCL) | 2025-06-25 12:00:24 UTC |
Recent Mentions
CVE-2025-2775: PoC Released for SysAid On-Premises Pre-Auth RCE Vulnerability
Source: Arctic Wolf • Published: 2025-05-07 20:06:39 UTC
On May 7, 2025, watchTowr publicly disclosed technical details and a proof-of-concept (PoC) exploit for a pre-authenticated Remote Code Execution (RCE) chain affecting SysAid On-Premises, a self-hosted IT service management (ITSM) platform used by organizations to manage IT support tasks. Although the vulnerabilities were patched in March 2025, they had not been assigned Common Vulnerabilities ... CVE-2025-2775: PoC Released for SysAid On-Premises Pre-Auth RCE Vulnerability
SysAid Patches 4 Critical Flaws Enabling Pre-Auth RCE in On-Premise Version
Source: TheHackerNews • Published: 2025-05-07 11:31:00 UTC
Cybersecurity researchers have disclosed multiple security flaw in the on-premise version of SysAid IT support software that could be exploited to achieve pre-authenticated remote code execution with elevated privileges.
The vulnerabilities, tracked as CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777, have all been described as XML External Entity (XXE) injections, which occur when an attacker is
SysOwned, Your Friendly Support Ticket - SysAid On-Premise Pre-Auth RCE Chain (CVE-2025-2775 And Friends)
Source: Watchtower Labs • Published: 2025-05-07 09:38:35 UTC
It’s… another week, and another vendor who is apparently experienced with ransomware gangs but yet struggles with email.In what we've seen others term "the watchTowr treatment", we are once again (surprise, surprise) disclosing vulnerability research that allowed us to gain pre-authenticated Remote
Scanner Integrations
Scanner | URL | Date Detected |
---|---|---|
Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-2775.yaml | 2025-05-10 14:30:22 UTC |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Detected by Nuclei
-
Added to KEVIntel