CVE Alert: CVE-2025-2775 – SysAid – SysAid On-Prem
CVE-2025-2775
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.
AI Summary Analysis
Risk verdict
Critical risk: active exploitation of an unauthenticated XML External Entity (XXE) in the Checkin processing, with urgent remediation required (treat as priority 1).
Why this matters
An attacker can achieve administrator account takeover and read sensitive files, exposing high-value data and enabling further compromise. In On-Prem deployments, exposed Checkin endpoints are common attack surfaces, making rapid patching and access control essential to prevent widespread impact.
Most likely attack path
- Attacker targets the Checkin endpoint over the network without credentials.
- A crafted XML payload triggers the XXE, enabling access to admin credentials or admin session context.
- With admin access, attacker can read protected files and perform privileged actions, with potential lateral movement within the affected host or environment depending on network segmentation.
Who is most exposed
Organisations hosting SysAid On-Prem, especially where the service is reachable from the public internet or via VPN, and where default or excessive admin privileges exist, are most at risk. Sectors using on-prem IT management tools (e.g., healthcare, education) often have these exposure patterns.
Detection ideas
- Alerts for unusual or oversized XML payloads directed at the Checkin endpoint.
- Logs showing external entity references or XML parsing errors tied to Checkin processing.
- Emergence of new or anomalous admin accounts or privileged actions.
- Unusual file read/access events or exfiltration attempts from critical SysAid directories.
- Unexpected authentication events from management consoles or admin sessions.
Mitigation and prioritisation
- Apply the latest patched version or vendor-supplied fix; treat as priority 1 due to KEV/SSVC exploitation status.
- If patching now isn’t feasible, implement compensating controls: restrict Checkin access to trusted networks, deploy WAF/IPS rules to block XXE patterns, and disable unauthenticated endpoints where possible.
- Harden XML processing: disable external entity resolution and DTD processing where feasible.
- Enforce least privilege for admins and implement multi-factor authentication for privileged access.
- Plan and test patch rollout; monitor for signs of exploitation during and after remediation.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
