CVE-2025-2776 Scanner

SysAid On-Prem is a widely used ITSM platform that provides features like helpdesk ticketing, asset tracking, remote control, and more. Designed primarily for internal IT teams and enterprises with self-hosted requirements, it is used across a broad range of industries including education, healthcare, and government.

This scanner targets an unauthenticated XML External Entity (XXE) vulnerability found in SysAid On-Prem’s `/mdm/serverurl` endpoint. The vulnerability allows the server to process external entities in XML payloads, potentially exposing internal files or enabling privilege escalation. The issue is caused by improper configuration of XML parsers that fail to disable external entity processing, leading to high-risk data leakage or account compromise.

The detection works by submitting a malicious XML payload that references an external DTD hosted on an attacker-controlled domain. When the vulnerable server parses this payload, it makes an outbound HTTP request, confirming the vulnerability through interaction tracking. Specific markers like the Java User-Agent and HTTP request method validate the XXE occurrence.

Successful exploitation may expose sensitive system files, configuration secrets, or credentials. In more advanced attack scenarios, it could be used to impersonate administrative users or extract environment files, further expanding access across the infrastructure. Given that no authentication is required, this vulnerability is extremely dangerous in exposed environments.

REFERENCES

• https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/
• https://documentation.sysaid.com/docs/24-40-60