CVE-2025-2775

SysAid On-Prem <= 23.3.40 Checkin Proceessing XML External Entity Injection

CVSS 9.3 CRITICALEPSS 55.2%● KEVCWE-611

In short

SysAid On-Prem up to version 23.3.40 has a critical flaw in how it processes check-in data that lets attackers read files and take over administrator accounts without needing to log in first.

Technical detail

An unauthenticated XXE vulnerability exists in the Checkin processing endpoint (CWE-611) that allows attackers to inject malicious XML entities to read arbitrary files or execute actions with administrator privileges. The attack requires no prior authentication and can lead to complete system compromise through admin account takeover.

Summary generated and translated by AI from the official description.

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Affected products

SysAid · SysAid On-Prem

public PoCs found — 2

githubgithub.com/watchtowrlabs/watchTowr-vs-SysAid-PreAuth-RCE-Chain★ 12 cve_referencelabs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://documentation.sysaid.com/docs/24-40-60 https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2775