External risk intelligence

SysAid Vulnerable to Account Takeover and File Exposure.

CVE advisoryKnown Exploit

CVE-2025-2775

A vulnerability in SysAid On-Prem software allows unauthorized access to administrator accounts and sensitive files. This impacts organizations by enabling attackers to gain control and expose internal information, posing a business risk.A vulnerability in SysAid On-Prem software allows unauthorized access to administr

4Halo Surface Signal

XML External Entity Injection

Sysaid

23.3.40 and earlier

External exposure likelihood

Halo Surface Signal score for CVE-2025-2775

SysAid is an IT service management platform frequently deployed as an internet-facing web application to allow end-users to submit support tickets and administrators to manage service requests externally. The affected functionality is part of the core web interface, making it commonly reachable from the internet.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Horizon Alert

Summary of the vulnerability and why it matters

SysAid On-Prem software contains a weakness in its XML processing. This flaw could allow unauthorized individuals to gain administrator access or read sensitive files from the system. The potential impact includes unauthorized control over the system and exposure of internal information.

  • SysAid On-Prem software
  • XML external entity processing flaw
  • Administrator account takeover

Attack Path

How an attacker could exploit the issue

The identified vulnerability allows an unauthenticated attacker to compromise administrator accounts and access sensitive files on affected systems. This attack exploits a weakness in how the system processes check-in data, specifically through external XML entities. Successful exploitation could lead to unauthorized control of the system and exposure of internal information.

  • Exposed to the internet.
  • Unauthenticated attacker gains access.
  • Trigger XXE for control or data access.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a significant risk to organizations utilizing the affected SysAid software. An attacker with moderate technical skill could exploit this issue to gain unauthorized administrative access, potentially leading to widespread system compromise and sensitive data exposure. The ease of exploitation and the severity of the potential impact necessitate prompt attention.

  • Likely attacker skill level: Moderate.
  • Required access or conditions: Unauthenticated network access.
  • Business risk or urgency: High, potential account takeover.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability could allow unauthorized access to administrator accounts and sensitive files, posing a significant risk to organizational data and operations. The affected software is accessible over the network, potentially exposing it to external threats. The direct impact includes the potential for unauthorized account takeover and the reading of files, which could lead to further compromise.

  • Identify all deployed instances of the affected software.
  • Isolate affected systems from the network.
  • Apply vendor fixes and validate security.
  • Monitor for suspicious activity.

Frequently asked questions

What is SysAid On-Prem and its function?

SysAid On-Prem is an IT service management software designed to help organizations manage support tickets, track IT assets, and streamline IT operations. It serves as a central platform for users to request help and for IT staff to manage those requests efficiently.

How does CVE-2025-2775 enable account takeover?

CVE-2025-2775 is an XML External Entity (XXE) vulnerability. This weakness in SysAid On-Prem's processing of check-in data, specifically XML files, can be exploited by an unauthenticated attacker to gain administrator privileges, leading to account takeover.

What is the weakness class exploited by CVE-2025-2775?

The vulnerability CVE-2025-2775 is classified as an Improper Restriction of XML External Entity Reference, identified by the CWE-611 weakness.

What is the relevance of CVE-2025-2775 to external threats?

SysAid On-Prem is often deployed as an internet-facing application, making this vulnerability externally exposed. An unauthenticated attacker with network access can exploit the XXE flaw to gain administrator control or read sensitive files, posing a significant threat.

What steps should be taken to address this vulnerability?

Organizations should identify all instances of affected SysAid On-Prem software, isolate potentially compromised systems, and apply vendor-provided fixes. Continuous monitoring for suspicious activity is also recommended to ensure security after remediation.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified