CVE-2025-2776
Published: 07 May 2025
Summary
CVE-2025-2776 is a critical-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Sysaid Sysaid. Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
SysAid On-Prem versions up to and including 23.3.40 contain an unauthenticated XML External Entity vulnerability (CWE-611) in the Server URL processing functionality. The flaw permits external entity expansion during XML handling, which can be triggered without credentials and carries a CVSS 3.1 score of 9.3 reflecting network attack vector, low complexity, and impacts that include high confidentiality loss with limited availability effects under changed scope.
An unauthenticated remote attacker can supply a malicious XML payload to the affected Server URL endpoint, resulting in arbitrary file disclosure on the server and the ability to take over an administrator account. These primitives enable further lateral movement or persistence within the on-premises deployment.
The vendor has published remediation guidance in release 24.40.60, and the vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog, indicating that official patches and mitigation steps are available for affected installations.
The EPSS score has reached a current value of 0.6260 with a recorded peak of 0.6657, consistent with active exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-13875
Vulnerability details
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.
- CWE(s)
- KEV Date Added
- 22 July 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of XML input at the Server URL endpoint to reject external entity declarations and block the unauthenticated XXE payload.
Enforces authentication and authorization checks before any XML processing occurs, eliminating the unauthenticated attack vector that leads to account takeover.
Limits the set of actions permitted without identification or authentication, preventing unauthenticated access to the vulnerable Server URL functionality.