CVE-2025-2775

CRITICALCISA KEV

9.3

Descricao

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.

Detalhes CVE

Pontuacao CVSS v3.19.3

SeveridadeCRITICAL

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosNONE

Interacao do usuarioNONE

Publicado5/7/2025

Ultima modificacao10/27/2025

Fontekev

Avistamentos honeypot0

CISA KEV

FornecedorSysAid

ProdutoSysAid On-Prem

Nome da vulnerabilidadeSysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability

Data inclusao KEV2025-07-22

Prazo de remediacao2025-08-12

Uso em ransomwareUnknown

Produtos afetados

sysaid:sysaid

Fraquezas (CWE)

CWE-611

Referencias

https://documentation.sysaid.com/docs/24-40-60(disclosure@vulncheck.com)

https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/(disclosure@vulncheck.com)

https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/(134c704f-9b21-4f2e-91b3-4a467353bcc0)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2775(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.