πŸ”΄ CVE-2025-2776

CVE-2025-2776 is an unauthenticated XML External Entity (XXE) vulnerability in SysAid On-Prem that allows remote attackers to achieve administrator account takeover and file read access without any authentication. This vulnerability is actively being exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities catalog.

← Back to Overview
HIGH_RISK
Risk Level
9.3
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 β€” Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

πŸ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-05-07

Added to CISA KEV: 2025-07-22 76 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

πŸ” Web Intelligence (Kagi Β· 2025-09-06)

Here's what is known about the CVE-2025-2776 vulnerability exploitation:

  • Vulnerability Overview: CVE-2025-2776 is an unauthenticated XML External Entity (XXE) vulnerability affecting SysAid On-Premise versions 23.3.40 and earlier [1][2].
  • Internet-Facing Applications/Services: This vulnerability affects internet-facing SysAid On-Prem systems [3][4], making them easily accessible to attackers.
  • Active Exploitation: There is evidence of active exploitation of CVE-2025-2776 in the wild [5][6]. CrowdSec's analysis indicates a surge in exploitation attempts, with attack volumes spiking above historical norms [7].
  • Attack Vectors and Exploitation Methods:
* The vulnerability is exploited by injecting malicious XML entities through crafted HTTP requests during Server URL processing [8]. * This allows attackers to bypass input validation and perform arbitrary file reads (e.g., ```/etc/passwd```) and Server-Side Request Forgery (SSRF) attacks [8]. * Successful exploitation can lead to administrator account takeover and potential remote code execution [9][10]. * An exploit targeting SysAid On-Premise running on Windows chains multiple vulnerabilities to achieve pre-authenticated blind Remote Code Execution (RCE) [11].
  • Targeted Attacks: While it's not explicitly stated that CVE-2025-2776 has been used in targeted attacks, its nature as a pre-authentication vulnerability on internet-facing systems makes it a prime target for both opportunistic attackers and advanced persistent threats (APTs) [3].
  • CISA Known Exploited Vulnerabilities (KEV) Status: CISA added CVE-2025-2776 to its KEV catalog on July 22, 2025, based on evidence of active exploitation [5][6]. CISA mandates that Federal Civilian Executive Branch (FCEB) agencies apply mitigations per vendor instructions or discontinue the product if mitigations are unavailable [6].
  • Technical Details of Internet Exploitability:
* CVE-2025-2776 is a pre-authentication vulnerability, meaning it can be exploited without requiring any user credentials [12][13]. * It has a network attack vector, low attack complexity, and requires no privileges, making it easily exploitable remotely [14][10]. * The vulnerability arises from the failure to disable external entity resolution during XML parsing [15].

Sources

  1. CVE Alert: CVE-2025-2776 – SysAid – SysAid On-Prem

    SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality,…

  2. CVE-2025-2776 : SysAid On-Prem versions - CVEdetails.com

    CVE-2025-2776 : SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functiona…

  3. CVE-2025-2776 Analysis: Unpatched SysAid Vulnerability Puts Global ...

    CVE-2025-2776 Analysis: Unpatched SysAid Vulnerability Puts Global Networks at Risk.Given its unauthenticated nature and exposure on internet-facing systems, this flaw is a prime target for both opportunistic attackers and advanced persistent threats (APTs).

  4. SysOwned, Your Friendly Support Ticket - SysAid On-Premise Pre ...

    It goes without saying - ITSMs are genuine, Internet-facing, treasure troves for your neighbourhood miscreants, red teams, and squirrels.

  5. CISA Adds Four Known Exploited Vulnerabilities to Catalog

    CVE-2025-6558 Google Chromium ANGLE and GPU Improper Input Validation Vulnerability; CVE-2025-2776 SysAid On-Prem Improper Restriction of XML ...

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

πŸ“„ Download JSON Data | πŸ“‘ RSS Feed