CVE-2025-2776 (GCVE-0-2025-2776)
Vulnerability from cvelistv5 – Published: 2025-05-07 14:50 – Updated: 2025-11-19 18:33- CWE-611 - Improper Restriction of XML External Entity Reference
| URL | Tags |
|---|---|
| https://documentation.sysaid.com/docs/24-40-60 | vendor-advisory |
| https://labs.watchtowr.com/sysowned-your-friendly… | exploit |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
| Vendor | Product | Version | |
|---|---|---|---|
| SysAid | SysAid On-Prem |
Affected:
0 , ≤ 23.3.40
(custom)
|
CISA
Known Exploited Vulnerability - GCVE BCP-07 Compliant
Exploited: Yes
Timestamps
Scope
Evidence
Type: Vendor Report
Signal: Successful Exploitation
Confidence: 80%
Source: cisa-kev
Details
| Cwes | CWE-611 |
|---|---|
| Feed | CISA Known Exploited Vulnerabilities Catalog |
| Product | SysAid On-Prem |
| Due Date | 2025-08-12 |
| Date Added | 2025-07-22 |
| Vendorproject | SysAid |
| Vulnerabilityname | SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability |
| Knownransomwarecampaignuse | Unknown |
References
Shadowserver
Known Exploited Vulnerability - GCVE BCP-07 Compliant
Exploited: Yes
Characteristics
Timestamps
Scope
Evidence
Type: Honeypot
Signal: In The Wild Attempts
Confidence: 70%
Source: shadowserver
Details
| 1D | 1 |
|---|---|
| Iot | no |
| Feed | Shadowserver Foundation honeypot/exploited-vulnerabilities |
| Type | http-scan |
| Class | device-management-platform |
| 7D Avg | 0 |
| Vendor | SysAid |
| 30D Avg | 2 |
| 90D Avg | 1 |
| Product | SysAid On-Premise |
| Cisa Kev | yes |
| Connections | 3 |
| Observation Date | 2026-07-06 |
| Vulnerability Class | CVSS |
| Vulnerability Score | 9.3 |
| Vulnerability Severity | Critical |
References
KEVIntel
Known Exploited Vulnerability - GCVE BCP-07 Compliant
Exploited: Yes
Timestamps
Scope
Evidence
Type: Public Report
Signal: Successful Exploitation
Confidence: 70%
Source: kevintel
Details
| Feed | KEVIntel (kevintel.com) |
|---|---|
| Title | SysAid On-Prem <= 23.3.40 serverurl Proceessing XML External Entity Injection |
| Vendor | SysAid |
| Product | SysAid On-Prem |
| Added Date | 2026-06-01T10:37:22.535Z |
| Cvss Score | 9.3 |
| Epss Score | 0.72971 |
| Cvss Severity | CRITICAL |
| Epss Percentile | 0.9938 |
| Used In Malware | unknown |
| Ahead Of Cisa Kev |
|
| Not Yet In Cisa Kev | False |
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2776",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-22T03:55:28.273841Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-07-22",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2776"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:55:17.129Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2776"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-07-22T00:00:00.000Z",
"value": "CVE-2025-2776 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"serverurl"
],
"product": "SysAid On-Prem",
"vendor": "SysAid",
"versions": [
{
"lessThanOrEqual": "23.3.40",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sysaid:sysaid_on-premises:*:*:*:*:*:*:*:*",
"versionEndIncluding": "23.3.40",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sina Kheirkhah (@SinSinology)"
},
{
"lang": "en",
"type": "finder",
"value": "Jake Knott"
},
{
"lang": "en",
"type": "sponsor",
"value": "watchTowr"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eSysAid On-Prem versions \u0026lt;= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.\u003c/div\u003e"
}
],
"value": "SysAid On-Prem versions \u003c= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives."
}
],
"impacts": [
{
"capecId": "CAPEC-250",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-250 XML Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T18:33:05.781Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://documentation.sysaid.com/docs/24-40-60"
},
{
"tags": [
"exploit"
],
"url": "https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SysAid On-Prem \u003c= 23.3.40 serverurl Proceessing XML External Entity Injection",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-2776",
"datePublished": "2025-05-07T14:50:40.717Z",
"dateReserved": "2025-03-24T21:52:44.166Z",
"dateUpdated": "2025-11-19T18:33:05.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"cisa_known_exploited": {
"cveID": "CVE-2025-2776",
"cwes": "[\"CWE-611\"]",
"dateAdded": "2025-07-22",
"dueDate": "2025-08-12",
"knownRansomwareCampaignUse": "Unknown",
"notes": "https://documentation.sysaid.com/docs/24-40-60 ; https://nvd.nist.gov/vuln/detail/CVE-2025-2776",
"product": "SysAid On-Prem",
"requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
"shortDescription": "SysAid On-Prem contains an improper restriction of XML external entity reference vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.",
"vendorProject": "SysAid",
"vulnerabilityName": "SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability"
},
"epss": {
"cve": "CVE-2025-2776",
"date": "2026-07-08",
"epss": "0.72971",
"percentile": "0.99384"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-2776\",\"sourceIdentifier\":\"disclosure@vulncheck.com\",\"published\":\"2025-05-07T15:15:57.573\",\"lastModified\":\"2026-06-17T09:07:36.360\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SysAid On-Prem versions \u003c= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.\"},{\"lang\":\"es\",\"value\":\"Las versiones de SysAid On-Prem \u0026lt;= 23.3.40 son afectados por una vulnerabilidad de entidad externa XML no autenticada (XXE) en la funcionalidad de procesamiento de URL del servidor, lo que permite la toma de control de la cuenta del administrador y primitivas de lectura de archivos.\"}],\"affected\":[{\"source\":\"disclosure@vulncheck.com\",\"affectedData\":[{\"vendor\":\"SysAid\",\"product\":\"SysAid On-Prem\",\"defaultStatus\":\"affected\",\"modules\":[\"serverurl\"],\"versions\":[{\"version\":\"0\",\"lessThanOrEqual\":\"23.3.40\",\"versionType\":\"custom\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":4.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2025-07-22T03:55:28.273841Z\",\"id\":\"CVE-2025-2776\",\"options\":[{\"exploitation\":\"active\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"cisaExploitAdd\":\"2025-07-22\",\"cisaActionDue\":\"2025-08-12\",\"cisaRequiredAction\":\"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.\",\"cisaVulnerabilityName\":\"SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability\",\"weaknesses\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-611\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sysaid:sysaid:*:*:*:*:on-premises:*:*:*\",\"versionEndIncluding\":\"23.3.40\",\"matchCriteriaId\":\"9F967FFC-8AE4-4215-B2F5-333870F75899\"}]}]}],\"references\":[{\"url\":\"https://documentation.sysaid.com/docs/24-40-60\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2776\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-2776\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-22T03:55:28.273841Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2025-07-22\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2776\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-07-22T00:00:00.000Z\", \"value\": \"CVE-2025-2776 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2776\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-07T15:18:24.446Z\"}}], \"cna\": {\"title\": \"SysAid On-Prem \u003c= 23.3.40 serverurl Proceessing XML External Entity Injection\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Sina Kheirkhah (@SinSinology)\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Jake Knott\"}, {\"lang\": \"en\", \"type\": \"sponsor\", \"value\": \"watchTowr\"}], \"impacts\": [{\"capecId\": \"CAPEC-250\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-250 XML Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SysAid\", \"modules\": [\"serverurl\"], \"product\": \"SysAid On-Prem\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"23.3.40\"}], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://documentation.sysaid.com/docs/24-40-60\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/\", \"tags\": [\"exploit\"]}], \"x_generator\": {\"engine\": \"vulncheck\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"SysAid On-Prem versions \u003c= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cdiv\u003eSysAid On-Prem versions \u0026lt;= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.\u003c/div\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-611\", \"description\": \"CWE-611 Improper Restriction of XML External Entity Reference\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:sysaid:sysaid_on-premises:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"23.3.40\", \"versionStartIncluding\": \"0\"}], \"operator\": \"OR\"}], \"operator\": \"OR\"}], \"providerMetadata\": {\"orgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"shortName\": \"VulnCheck\", \"dateUpdated\": \"2025-11-19T18:33:05.781Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-2776\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-19T18:33:05.781Z\", \"dateReserved\": \"2025-03-24T21:52:44.166Z\", \"assignerOrgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"datePublished\": \"2025-05-07T14:50:40.717Z\", \"assignerShortName\": \"VulnCheck\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.