CVE-2025-2775 is an XML External Entity (XXE) vulnerability classified under CWE-611 that affects SysAid On-Prem versions up to 23.3.40. The vulnerability exists in the Checkin processing functionality, which processes XML input without properly restricting external entity references. This improper restriction allows an unauthenticated attacker to craft malicious XML payloads that can be submitted to the vulnerable endpoint. Exploiting this flaw enables the attacker to read arbitrary files on the server and escalate privileges to take over administrator accounts. The vulnerability is remotely exploitable over the network without any authentication or user interaction, making it highly dangerous. The CVSS 3.1 base score of 9.3 reflects the critical nature of this vulnerability, with attack vector being network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and scope changed (S:C). The impact on confidentiality is high due to arbitrary file read and account takeover, while availability impact is low. No public exploits have been reported yet, but the severity and ease of exploitation make it a prime target for attackers. The vulnerability was reserved in March 2025 and published in May 2025, with no patches currently linked, indicating a potential window of exposure. SysAid On-Prem is widely used by enterprises for IT service management, making this vulnerability a significant risk for organizations relying on this product for operational continuity and security.

For European organizations, this vulnerability poses a critical risk to IT service management infrastructure. Successful exploitation can lead to unauthorized access to sensitive configuration files, credentials, and internal data, resulting in administrator account takeover. This compromises the integrity and confidentiality of the ITSM environment, potentially allowing attackers to manipulate service tickets, disrupt IT operations, or pivot to other internal systems. The availability impact is lower but still relevant as attackers could disrupt service management processes. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely on SysAid On-Prem for managing IT assets and incidents are particularly vulnerable. The unauthenticated nature of the exploit increases the risk of widespread attacks, especially in environments exposed to the internet or insufficiently segmented networks. The lack of known exploits currently provides a limited window for proactive defense, but the high severity demands immediate attention to prevent potential exploitation.

1. Immediately apply any available patches or updates from SysAid once released. 2. If patches are not yet available, disable or restrict access to the Checkin processing functionality or any XML input endpoints exposed externally. 3. Implement network segmentation to isolate SysAid On-Prem servers from untrusted networks and limit access to trusted administrators only. 4. Configure XML parsers used by SysAid to disable external entity processing (XXE) to prevent malicious XML payloads from being processed. 5. Monitor logs for unusual XML payloads or repeated requests to the Checkin endpoint that could indicate exploitation attempts. 6. Employ Web Application Firewalls (WAFs) with rules to detect and block XXE attack patterns. 7. Conduct internal audits to identify any unauthorized changes or access to administrator accounts and sensitive files. 8. Educate IT staff about the vulnerability and ensure incident response plans include steps for handling potential exploitation. 9. Limit privileges of service accounts and enforce strong authentication mechanisms to reduce impact if compromise occurs.