CVE-2025-2775
Published: 07 May 2025
Summary
CVE-2025-2775 is a critical-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Sysaid Sysaid. Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
SysAid On-Prem versions 23.3.40 and earlier are affected by an unauthenticated XML External Entity vulnerability in the Checkin processing functionality. The flaw, tracked as CWE-611, carries a CVSS 3.1 score of 9.3 and permits administrator account takeover along with file read primitives.
Remote attackers can exploit the issue over the network without credentials or user interaction, achieving high-impact outcomes that include full administrative control and disclosure of sensitive files on the server.
Vendor documentation at documentation.sysaid.com and CISA guidance direct administrators to apply the available updates that resolve the vulnerability.
The CVE appears in CISA’s known exploited vulnerabilities catalog, confirming real-world exploitation, while the EPSS score has remained elevated near its recorded peak of 0.6979.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-13878
Vulnerability details
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.
- CWE(s)
- KEV Date Added
- 22 July 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of XML input at the Checkin endpoint to reject external entity declarations and thereby block XXE exploitation.
Requires authentication and authorization before any XML processing occurs, eliminating the unauthenticated attack vector described in the CVE.
Mandates timely application of the vendor patch (24.40.60) that removes the vulnerable XXE code path in Checkin processing.