CVE-2025-2775 is an XML External Entity (XXE) vulnerability classified under CWE-611, affecting SysAid On-Prem versions up to 23.3.40. The vulnerability resides in the Checkin processing functionality, which improperly restricts XML external entity references. This flaw allows an unauthenticated attacker to craft malicious XML payloads that, when processed by the vulnerable system, can lead to disclosure of sensitive files on the server and unauthorized administrative account takeover. The attack vector is network-based, requiring no authentication or user interaction, which significantly lowers the barrier to exploitation. The vulnerability impacts confidentiality by exposing sensitive data and integrity by enabling administrative control takeover, although availability impact is low. The CVSS 3.1 score of 9.3 reflects these factors, emphasizing the critical nature of the vulnerability. No patches or public exploits are currently reported, but the presence of such a vulnerability in IT service management software poses a high risk to organizations relying on SysAid for internal operations. The vulnerability’s exploitation could facilitate lateral movement, data exfiltration, and persistent access within affected environments.

The impact of CVE-2025-2775 is severe for organizations using SysAid On-Prem, especially those managing critical IT service operations. An attacker exploiting this vulnerability can gain unauthorized access to sensitive configuration files and credentials, leading to full administrative control over the SysAid platform. This can result in unauthorized changes to IT service management workflows, data theft, and potential disruption of IT support functions. The compromise of administrator accounts also increases the risk of further lateral movement within the network, potentially exposing other critical systems. Confidentiality is highly impacted due to file read capabilities, and integrity is compromised through administrator account takeover. Although availability impact is rated low, the operational disruption caused by administrative compromise can indirectly affect service availability. Organizations worldwide that depend on SysAid for ITSM are at risk of significant operational and reputational damage if this vulnerability is exploited.

Immediate mitigation steps include disabling or restricting XML external entity processing in the SysAid On-Prem Checkin functionality if configurable. Network-level controls such as web application firewalls (WAFs) should be configured to detect and block malicious XML payloads containing external entity references. Monitoring and logging of XML processing errors and unusual administrative account activities should be enhanced to detect exploitation attempts early. Organizations should isolate SysAid servers from untrusted networks and restrict access to trusted administrators only. Until an official patch is released, consider deploying virtual patching techniques or application-layer filters to mitigate the vulnerability. Once a vendor patch becomes available, prioritize its deployment in all affected environments. Additionally, conduct a thorough audit of administrator accounts and system logs to identify any signs of compromise. Regular backups and incident response plans should be updated to address potential exploitation scenarios.