CVE-2025-2775
published 2025-05-07CVE-2025-2775: SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality…
PriorityP189high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-08-12
Exploited in the wild
EPSS
55.18%
98.9th percentile
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sysaid | sysaid | <= 23.3.40 | — |
| sysaid | sysaid_on-prem | <= 23.3.40 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS SysAid XML External Entity Injection Attempt (CVE-2025-2775)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mdm/checkin"; fast_pattern; http.request_body; content:"|3c 3f|xml"; startswith; content:"|3c 21|ENTITY|20 25|"; distance:0; reference:cve,2025-2775; classtype:web-application-attack; sid:2062515; rev:1; metadata:attack_target Server, created_at 2025_05_22, cve CVE_2025_2775, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag AI_Generated_Description, updated_at 2025_05_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
|3c 3f|xml at start of POST body, followed by |3c 21|ENTITY|20 25|
- →Exploit traffic targets HTTP POST requests to the /mdm/checkin endpoint — monitor for unauthenticated POST requests to this path on SysAid On-Prem instances.
- →XXE payloads in the request body begin with an XML declaration (<?xml) immediately followed by a DOCTYPE ENTITY % declaration — detect this byte pattern at the start of the POST body.
- →Out-of-band XXE exploitation triggers outbound Java HTTP callbacks; look for outbound HTTP requests with a 'User-Agent: Java' header originating from the SysAid server.
- →Successful XXE exploitation may be confirmed via out-of-band DNS/HTTP interaction (OAST); monitor for unexpected outbound DNS or HTTP from the SysAid server host.
- →The vulnerability resides specifically in the Checkin processing functionality of SysAid On-Prem; scope detection to versions <= 23.3.40 and prioritize patching to 24.4.60.
- ·The Snort/ET rule (sid:2062515) requires TLS decryption to be effective if SysAid is served over HTTPS — deploy with SSLDecrypt/TLSDecrypt capability.
- ·CISA has found no evidence of ransomware exploitation for CVE-2025-2775 specifically at time of advisory, but active exploitation is confirmed; treat as high priority.
- ·Proof-of-concept code is publicly available, making exploitation trivial; patch to SysAid On-Prem version 24.4.60 or later immediately.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck9.3CRITICAL
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
cisa·2025-07-22·CVSS 7.5
CVE-2025-2775 [HIGH] CWE-611 SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
Vulnerability: SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
Affected: SysAid SysAid On-Prem
SysAid On-Prem contains an improper restriction of XML external entity reference vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://documentation.sysaid.com/docs/24-40-60 ; https://nvd.nist.gov/vuln/detail/CVE-2025-2775
Remediation Due Date: 2025-08-12
GHSA
GHSA-g3m4-2wr6-2q64: SysAid On-Prem versions <= 23
ghsa_unreviewed·2025-05-07
CVE-2025-2775 [CRITICAL] CWE-611 GHSA-g3m4-2wr6-2q64: SysAid On-Prem versions <= 23
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.
VulnCheck
SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
vulncheck·2025·CVSS 9.3
CVE-2025-2775 [CRITICAL] CWE-611 SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
SysAid On-Prem contains an improper restriction of XML external entity reference vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.
Affected: SysAid SysAid On-Premise
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-05-19&host_type=src&vulnerability=cve-2025-2775; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-05-20&host_type=src&vulnerability=cve-2025-2775;
Suricata
ET WEB_SPECIFIC_APPS SysAid On-Prem Authenticated updateApi Arbitrary OS Command Injection (CVE-2025-2778)
suricata·2025-12-09
CVE-2025-2778 ET WEB_SPECIFIC_APPS SysAid On-Prem Authenticated updateApi Arbitrary OS Command Injection (CVE-2025-2778)
ET WEB_SPECIFIC_APPS SysAid On-Prem Authenticated updateApi Arbitrary OS Command Injection (CVE-2025-2778)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SysAid On-Prem Authenticated updateApi Arbitrary OS Command Injection (CVE-2025-2778)"; flow:established,to_server; http.uri; content:"/API.jsp"; http.request_body; content:"updateApiSettings|3d|true"; fast_pattern; content:"javaLocation|3d|"; pcre:"/^[^&]*?(?:[\x3b\x24\x60\x7c]|\x25(?:0[aA]|3[bB]|24|60|7[cC]))/R"; reference:url,www.sonicwall.com/blog/critical-sysaid-xxe-vulnerabilities-expose-systems-to-remote-exploitation-cve-2025-2775-2777-; reference:cve,2025-2778; classtype:web-application-attack; sid:2066207; rev:1; metadata:affected_product SysAid, attack_target Server, tls_state TLSDecrypt, created_at 2025_1
Suricata
ET WEB_SPECIFIC_APPS SysAid XML External Entity Injection Attempt (CVE-2025-2775)
suricata·2025-05-22·CVSS 9.3
CVE-2025-2775 [CRITICAL] ET WEB_SPECIFIC_APPS SysAid XML External Entity Injection Attempt (CVE-2025-2775)
ET WEB_SPECIFIC_APPS SysAid XML External Entity Injection Attempt (CVE-2025-2775)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS SysAid XML External Entity Injection Attempt (CVE-2025-2775)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mdm/checkin"; fast_pattern; http.request_body; content:"|3c 3f|xml"; startswith; content:"|3c 21|ENTITY|20 25|"; distance:0; reference:cve,2025-2775; classtype:web-application-attack; sid:2062515; rev:1; metadata:attack_target Server, created_at 2025_05_22, cve CVE_2025_2775, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag AI_Generated_Description, updated_at 2025_05_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre
Nuclei
SysAid On-Prem <= 23.3.40 - XML External Entity
nuclei·CVSS 7.5
CVE-2025-2775 [HIGH] SysAid On-Prem <= 23.3.40 - XML External Entity
SysAid On-Prem
%foo;
]>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: interactsh_request
words:
- "User-Agent: Java"
# digest: 4a0a00473045022100c1d3318b8b62049e60b44ee19de491c57c36104f173cac3c743c61d536996ec4022019fd3f039f6cf6a963f2752b861b895567d42575d38fb2faa4f94cfeabb157e6:922c64590222798bb761d5b6d8e72950
Bleepingcomputer
CISA warns of hackers exploiting SysAid vulnerabilities in attacks
blogs_bleepingcomputer·2025-07-23·CVSS 9.8
CVE-2025-2775 [CRITICAL] CISA warns of hackers exploiting SysAid vulnerabilities in attacks
## CISA warns of hackers exploiting SysAid vulnerabilities in attacks
## Sergiu Gatlan
CISA has warned that attackers are actively exploiting two security vulnerabilities in the SysAid IT service management (ITSM) software to hijack administrator accounts.
The two unauthenticated XML External Entity (XXE) flaws, tracked as CVE-2025-2775 and CVE-2025-2776, were reported by watchTowr Labs security researchers in December 2024 and patched in March with the release of SysAid On-Prem version 24.4.60.
One month later, watchTowr Labs also published proof-of-concept code , showing that the SysAid vulnerabilities are trivial to exploit and allow attackers to retrieve local files containing sensitive information.
While CISA didn't share any additional details regarding these ongoing attacks, it
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
Greynoiseio
NoiseLetter May 2025
blogs_greynoiseio
NoiseLetter May 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2025-05-07
Published
2025-07-22
Added to CISA KEV
Exploited in the wild