CVE-2025-2775 is a critical XML External Entity (XXE) vulnerability affecting SysAid On-Prem versions up to and including 23.3.40. This vulnerability arises from improper restriction of XML external entity references (CWE-611) in the Checkin processing functionality of the product. The flaw allows an unauthenticated attacker to submit specially crafted XML payloads that exploit the XXE weakness. Successful exploitation can lead to administrator account takeover and arbitrary file reading on the affected system. The vulnerability is remotely exploitable over the network without requiring any authentication or user interaction, making it highly dangerous. The CVSS v3.1 base score of 9.3 reflects the critical nature of this vulnerability, with network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and a scope change (S:C). The impact on confidentiality is high due to file read capabilities and potential credential compromise, while integrity impact is not directly indicated, and availability impact is low. The vulnerability affects the core IT service management platform SysAid On-Prem, which is used by organizations to manage IT assets, incidents, and service requests. The Checkin processing functionality likely handles incoming data or communications, making it a critical attack surface. No public exploits are currently known, but the severity and ease of exploitation suggest that attackers may develop exploits rapidly. No official patches or mitigation links are provided yet, indicating that organizations must prioritize monitoring and temporary mitigations until vendor fixes are available.

For European organizations using SysAid On-Prem, this vulnerability poses a significant risk. Successful exploitation can lead to full administrator account takeover, allowing attackers to manipulate IT service management processes, access sensitive organizational data, and potentially pivot to other internal systems. The ability to read arbitrary files can expose confidential information, including credentials, configuration files, and personal data protected under GDPR. This could result in data breaches, regulatory penalties, operational disruption, and reputational damage. Given that SysAid On-Prem is often deployed in enterprise environments for IT asset and incident management, compromise could disrupt critical business operations and incident response capabilities. The unauthenticated and remote nature of the vulnerability increases the likelihood of exploitation, especially in environments where the product is exposed to untrusted networks or the internet. European organizations must consider this vulnerability a high priority for risk management and incident preparedness.

1. Immediate network-level controls: Restrict access to the SysAid On-Prem Checkin processing endpoint to trusted internal networks only, using firewalls or network segmentation to prevent exposure to untrusted sources. 2. Input filtering and monitoring: Implement web application firewalls (WAFs) with custom rules to detect and block XML payloads containing external entity references or suspicious XML structures. 3. Disable or restrict XML external entity processing: If possible, configure the SysAid On-Prem application or underlying XML parsers to disable external entity resolution or enable safe parsing modes to mitigate XXE risks. 4. Monitor logs and alerts: Increase monitoring of SysAid logs for unusual XML payloads or authentication anomalies that could indicate exploitation attempts. 5. Vendor engagement: Engage with SysAid support to obtain patches or official guidance as soon as they become available and plan for rapid deployment. 6. Incident response readiness: Prepare for potential compromise by reviewing backup integrity, access controls, and incident response plans specific to ITSM platform compromise scenarios. 7. Avoid exposing the SysAid On-Prem interface directly to the internet until patched.