CVE-2025-2777 Scanner

SysAid On-Prem is a comprehensive IT service management solution widely used by organizations to streamline IT processes and provide efficient support services. Typically deployed within corporate environments, this software facilitates task automation, ticket management, and IT asset management, benefiting IT departments and service desks. It is valuable in industries such as healthcare, finance, and education, supporting thousands of user requests regularly. The platform caters to IT administrators, support staff, and end-users, enhancing communication and response time. Featuring a range of modules, SysAid On-Prem is customizable to fit different enterprise needs and delivers advanced analytics for business insights.

XML External Entity (XXE) is a serious security vulnerability that allows an attacker to interfere with an application's processing of XML data. By exploiting XXE vulnerability, attackers can gain unauthorized access to sensitive data, including files on the host system or other systems the server can access. This vulnerability can lead to data breaches, exposing confidential information. It may also enable an attacker to initiate server-side request forgery (SSRF) attacks. XXE vulnerabilities can result in Denial of Service (DoS) by causing an application to crash. The compromised system's integrity and confidentiality can be severely affected by successful XXE exploitation.

The vulnerability in SysAid On-Prem is located in the lshw processing functionality and is a classic case of an unauthenticated XML External Entity vulnerability. When an XML input containing a reference to an external entity is processed, it can allow reading arbitrary files or initiating network connections from the vulnerable server. The HTTP POST request made to the endpoint /lshw with crafted XML payloads is the primary vector of attack. Parameters like osVer, osCode, osKernel, agentVersion, and serial are present in the URL, but the core vulnerability lies in parsing the XML content. This flaw enables a remote, unauthenticated attacker to execute potentially harmful actions.

Exploiting this vulnerability could lead to severe consequences, including unauthorized data exposure, remote code execution, and service disruption. Attackers could read sensitive system files, such as configuration or password files, potentially resulting in data leaks. Another risk includes manipulating accessible systems to extend the impact through further attacks. Overexploitation might cause the system to become unresponsive, affecting service availability. Organizations could suffer reputational damage and legal implications if customer data is compromised.

REFERENCES

• https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/
• https://documentation.sysaid.com/docs/24-40-60