CVE-2025-2776

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.

CVSS v3 9.3 CRITICAL

9.3^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://documentation.sysaid.com/docs/24-40-60	Release Notes
https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sysaid:sysaid:*:*:*:*:on-premises:*:*:*

History

27 Jun 2025, 15:22

Type	Values Removed	Values Added
CPE		cpe:2.3:a:sysaid:sysaid:::::on-premises:::*
First Time		Sysaid Sysaid sysaid
References	~~() https://documentation.sysaid.com/docs/24-40-60 -~~	() https://documentation.sysaid.com/docs/24-40-60 - Release Notes
References	~~() https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/ -~~	() https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/ - Exploit, Third Party Advisory

08 May 2025, 14:39

Type	Values Removed	Values Added
Summary		(es) Las versiones de SysAid On-Prem <= 23.3.40 son afectados por una vulnerabilidad de entidad externa XML no autenticada (XXE) en la funcionalidad de procesamiento de URL del servidor, lo que permite la toma de control de la cuenta del administrador y primitivas de lectura de archivos.

07 May 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-07 15:15

Updated : 2025-06-27 15:22

NVD link : CVE-2025-2776

Mitre link : CVE-2025-2776

CVE.ORG link : CVE-2025-2776

JSON object : View

Products Affected

sysaid

sysaid

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2025-2776", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-05-07T15:15:57.573", "references": [{"url": "https://documentation.sysaid.com/docs/24-40-60", "tags": ["Release Notes"], "source": "disclosure@vulncheck.com"}, {"url": "https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/", "tags": ["Exploit", "Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives."}, {"lang": "es", "value": "Las versiones de SysAid On-Prem <= 23.3.40 son afectados por una vulnerabilidad de entidad externa XML no autenticada (XXE) en la funcionalidad de procesamiento de URL del servidor, lo que permite la toma de control de la cuenta del administrador y primitivas de lectura de archivos."}], "lastModified": "2025-06-27T15:22:41.477", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sysaid:sysaid:*:*:*:*:on-premises:*:*:*", "vulnerable": true, "matchCriteriaId": "9F967FFC-8AE4-4215-B2F5-333870F75899", "versionEndIncluding": "23.3.40"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}