← Voltar para CVEs
CVE-2025-2776
CRITICALCISA KEV9.3
Descricao
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.
Detalhes CVE
Pontuacao CVSS v3.19.3
SeveridadeCRITICAL
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado5/7/2025
Ultima modificacao10/27/2025
Fontekev
Avistamentos honeypot0
CISA KEV
FornecedorSysAid
ProdutoSysAid On-Prem
Nome da vulnerabilidadeSysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
Data inclusao KEV2025-07-22
Prazo de remediacao2025-08-12
Uso em ransomwareUnknown
Produtos afetados
sysaid:sysaid
Fraquezas (CWE)
CWE-611
Referencias
https://documentation.sysaid.com/docs/24-40-60(disclosure@vulncheck.com)
https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/(disclosure@vulncheck.com)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2776(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.