Cyber Resilience

CVE-2025-2775

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 07 May 2025

Published
07 May 2025
Modified
27 October 2025
KEV Added
22 July 2025
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
EPSS Score 0.6926 98.7th percentile
Risk Priority 80 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2775 is a critical-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Sysaid Sysaid. Its CVSS base score is 9.3 (Critical).

Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

SysAid On-Prem versions 23.3.40 and earlier are affected by an unauthenticated XML External Entity vulnerability in the Checkin processing functionality. The flaw, tracked as CWE-611, carries a CVSS 3.1 score of 9.3 and permits administrator account takeover along with file read primitives.

Remote attackers can exploit the issue over the network without credentials or user interaction, achieving high-impact outcomes that include full administrative control and disclosure of sensitive files on the server.

Vendor documentation at documentation.sysaid.com and CISA guidance direct administrators to apply the available updates that resolve the vulnerability.

The CVE appears in CISA’s known exploited vulnerabilities catalog, confirming real-world exploitation, while the EPSS score has remained elevated near its recorded peak of 0.6979.

EU & UK References

Vulnerability details

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.

CWE(s)
KEV Date Added
22 July 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sysaid
sysaid
≤ 23.3.40

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of XML input at the Checkin endpoint to reject external entity declarations and thereby block XXE exploitation.

prevent

Requires authentication and authorization before any XML processing occurs, eliminating the unauthenticated attack vector described in the CVE.

prevent

Mandates timely application of the vendor patch (24.40.60) that removes the vulnerable XXE code path in Checkin processing.

References