CVE-2025-2777 – SysAid On-Prem versions up to 23.3.40 contain a... (How to Fix)

Q: How do I fix CVE-2025-2777?

1. Backup your SysAid instance. 2. Download and install SysAid version 24.4.0 or later from the official vendor portal. 3. Restart the SysAid service. 4. Verify the installation completed successfully.

Q: What is the severity of CVE-2025-2777?

CVE-2025-2777 has a CVSS score of 9.3 (CRITICAL). SysAid On-Prem versions up to 23.3.40 contain an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality. This allows attackers to read arbitrary files from the server and potentially take over administrator accounts. Organizations running vulnerable SysAid On-Prem installations are affected.

📋 TL;DR

SysAid On-Prem versions up to 23.3.40 contain an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality. This allows attackers to read arbitrary files from the server and potentially take over administrator accounts. Organizations running vulnerable SysAid On-Prem installations are affected.

💻 Affected Systems

Products:

SysAid On-Prem

Versions: <= 23.3.40

Operating Systems: All platforms running SysAid

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. The vulnerability exists in the lshw XML processing functionality.

📦 What is this software?

Sysaid by Sysaid

View all CVEs affecting Sysaid →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise including administrator account takeover, sensitive file exfiltration, and potential lateral movement within the network.

🟠

Likely Case

Unauthenticated attackers reading sensitive files (configuration files, credentials) and potentially escalating to administrator access.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code and detailed analysis available from watchtowr labs. Attack requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 24.4.0 or later

Vendor Advisory: https://documentation.sysaid.com/docs/24-40-60

Restart Required: Yes

Instructions:

1. Backup your SysAid instance. 2. Download and install SysAid version 24.4.0 or later from the official vendor portal. 3. Restart the SysAid service. 4. Verify the installation completed successfully.

🔧 Temporary Workarounds

Disable XML External Entity Processing

all

Configure XML parsers to disable external entity processing

Configure XML parser settings to set: FEATURE_SECURE_PROCESSING = true, DISALLOW_DOCTYPE_DECL = true

Network Access Restriction

all

Restrict access to SysAid web interface to trusted networks only

Configure firewall rules to limit access to SysAid ports (typically 8080, 8443) to internal IP ranges only

🧯 If You Can't Patch

Implement strict network segmentation to isolate SysAid servers from internet and untrusted networks
Deploy web application firewall (WAF) with XXE protection rules and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check SysAid version via web interface admin panel or by examining installation directory version files

Check Version:

Check web interface at /help/about.jsp or examine /SysAidServer/version.txt file

Verify Fix Applied:

Verify version is 24.4.0 or later and test XXE payloads no longer work

📡 Detection & Monitoring

Log Indicators:

Unusual XML parsing errors
Multiple failed authentication attempts from single IP
Requests containing XML entities like <!DOCTYPE or <!ENTITY

Network Indicators:

HTTP POST requests to /lshw endpoint with XML content
Outbound connections to external servers from SysAid host

SIEM Query:

source="sysaid" AND (uri="/lshw" OR message="XML" OR message="DOCTYPE")

📊 Metadata

CVE ID: CVE-2025-2777

CVSS v3 Score: 9.3 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

CWE: CWE-611

EPSS Score: 15.81% exploit probability (94.6th percentile)

Published: May 7, 2025

Last Updated: June 27, 2025

🔗 References

https://documentation.sysaid.com/docs/24-40-60 Release Notes
https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/ Exploit,Third Party Advisory
https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2777, you might also want to check these: