Description
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.
Product(s):
- sysaid sysaid_on-premises *
Question to Ask Vendors:
- 1: Have you updated your SysAid On-Premises to version 24.4.60 b16 or later to mitigate the risk of CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777?
- 2: Can you confirm that all external access points to SysAid endpoints (/mdm/checkin, /mdm/serverurl, /lshw) have been secured or restricted from unauthorized external connections?
- 3: Are you actively monitoring SysAid server logs for signs of suspicious or malicious requests targeting these endpoints?
- 4: Have you reviewed and updated your incident response procedures to ensure rapid identification and remediation capabilities for XXE-based vulnerabilities?
Recommended Actions:
- Ensure all external access points to SysAid endpoints (/mdm/checkin, /mdm/serverurl, /lshw) are appropriately secured or restricted from unauthorized external connections.
- Monitor SysAid server logs actively for signs of suspicious or malicious requests targeting these endpoints.
- Review incident response procedures, ensuring rapid identification and remediation capabilities for XXE-based vulnerabilities.
- Upgrade SysAid Immediately: Update to SysAid On-Premises version 24.4.60 b16 or later. Since this vulnerability is tagged as 'Medium,' it's important to verify whether you're using the affected product.
References:
- http://webappsec.pbworks.com/XML-External-Entities
- https://capec.mitre.org/data/definitions/221.html
- https://documentation.sysaid.com/docs/24-40-60
- https://nvd.nist.gov/vuln/detail/CVE-2025-2775
- https://nvd.nist.gov/vuln/detail/CVE-2025-2776
- https://nvd.nist.gov/vuln/detail/CVE-2025-2777
- https://thehackernews.com/sysaid-vulnerabilities
- https://watchtowr.com/sysowned-research