Cyber Resilience

CVE-2025-2776

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 07 May 2025

Published
07 May 2025
Modified
27 October 2025
KEV Added
22 July 2025
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
EPSS Score 0.6260 98.4th percentile
Risk Priority 76 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2776 is a critical-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Sysaid Sysaid. Its CVSS base score is 9.3 (Critical).

Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

SysAid On-Prem versions up to and including 23.3.40 contain an unauthenticated XML External Entity vulnerability (CWE-611) in the Server URL processing functionality. The flaw permits external entity expansion during XML handling, which can be triggered without credentials and carries a CVSS 3.1 score of 9.3 reflecting network attack vector, low complexity, and impacts that include high confidentiality loss with limited availability effects under changed scope.

An unauthenticated remote attacker can supply a malicious XML payload to the affected Server URL endpoint, resulting in arbitrary file disclosure on the server and the ability to take over an administrator account. These primitives enable further lateral movement or persistence within the on-premises deployment.

The vendor has published remediation guidance in release 24.40.60, and the vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog, indicating that official patches and mitigation steps are available for affected installations.

The EPSS score has reached a current value of 0.6260 with a recorded peak of 0.6657, consistent with active exploitation interest following disclosure.

EU & UK References

Vulnerability details

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.

CWE(s)
KEV Date Added
22 July 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sysaid
sysaid
≤ 23.3.40

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of XML input at the Server URL endpoint to reject external entity declarations and block the unauthenticated XXE payload.

prevent

Enforces authentication and authorization checks before any XML processing occurs, eliminating the unauthenticated attack vector that leads to account takeover.

prevent

Limits the set of actions permitted without identification or authentication, preventing unauthenticated access to the vulnerable Server URL functionality.

References