cbcvebase.
CVE-2025-2775
published 2025-05-07

CVE-2025-2775: SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality…

PriorityP189high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-08-12
Exploited in the wild
EPSS
55.18%
98.9th percentile
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.

Affected

2 ranges
VendorProductVersion rangeFixed in
sysaidsysaid<= 23.3.40
sysaidsysaid_on-prem<= 23.3.40

Detection & IOCsextracted from sources · hover to see the quote

url/mdm/checkin
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS SysAid XML External Entity Injection Attempt (CVE-2025-2775)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mdm/checkin"; fast_pattern; http.request_body; content:"|3c 3f|xml"; startswith; content:"|3c 21|ENTITY|20 25|"; distance:0; reference:cve,2025-2775; classtype:web-application-attack; sid:2062515; rev:1; metadata:attack_target Server, created_at 2025_05_22, cve CVE_2025_2775, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag AI_Generated_Description, updated_at 2025_05_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
|3c 3f|xml at start of POST body, followed by |3c 21|ENTITY|20 25|
  • Exploit traffic targets HTTP POST requests to the /mdm/checkin endpoint — monitor for unauthenticated POST requests to this path on SysAid On-Prem instances.
  • XXE payloads in the request body begin with an XML declaration (<?xml) immediately followed by a DOCTYPE ENTITY % declaration — detect this byte pattern at the start of the POST body.
  • Out-of-band XXE exploitation triggers outbound Java HTTP callbacks; look for outbound HTTP requests with a 'User-Agent: Java' header originating from the SysAid server.
  • Successful XXE exploitation may be confirmed via out-of-band DNS/HTTP interaction (OAST); monitor for unexpected outbound DNS or HTTP from the SysAid server host.
  • The vulnerability resides specifically in the Checkin processing functionality of SysAid On-Prem; scope detection to versions <= 23.3.40 and prioritize patching to 24.4.60.
  • ·The Snort/ET rule (sid:2062515) requires TLS decryption to be effective if SysAid is served over HTTPS — deploy with SSLDecrypt/TLSDecrypt capability.
  • ·CISA has found no evidence of ransomware exploitation for CVE-2025-2775 specifically at time of advisory, but active exploitation is confirmed; treat as high priority.
  • ·Proof-of-concept code is publicly available, making exploitation trivial; patch to SysAid On-Prem version 24.4.60 or later immediately.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck9.3CRITICAL
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.