CVE-2025-2776

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.3 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
VulnCheckCNA
9.3 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 93%
VendorProductVersion
sysaidsysaid
𝑥
≤ 23.3.40
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://documentation.sysaid.com/docs/24-40-60
https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/