CVE-2025-2775 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability

Exploit added

July 22, 2025

Action due

August 12, 2025

Action required

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.

References

Weakness Enumeration

CWE-ID	CWE Name
CWE-611	Improper Restriction of XML External Entity Reference

Known Affected Software Configurations

cpe:2.3:a:sysaid:sysaid:23.3.40::::on-premises:::
cpe:2.3:a:sysaid:sysaid:22.1.65::::on-premises:::
cpe:2.3:a:sysaid:sysaid:22.3.35::::on-premises:::
cpe:2.3:a:sysaid:sysaid:22.4.45::::on-premises:::
cpe:2.3:a:sysaid:sysaid:23.2.14::::on-premises:::
cpe:2.3:a:sysaid:sysaid:23.2.15::::on-premises:::
cpe:2.3:a:sysaid:sysaid:23.3.34::::on-premises:::
cpe:2.3:a:sysaid:sysaid:23.3.35::::on-premises:::
cpe:2.3:a:sysaid:sysaid:23.3.36::::on-premises:::
cpe:2.3:a:sysaid:sysaid:23.3.37::::on-premises:::
cpe:2.3:a:sysaid:sysaid:22.1.64::::on-premises:::
cpe:2.3:a:sysaid:sysaid:-::::on-premises:::
cpe:2.3:a:sysaid:sysaid:21.4.45::::on-premises:::

Details

Source:
NVD

Published:
May 7, 2025

Updated:
July 23, 2025

Risk information

CVSS v3

Base score:
9.3

Severity:

CRITICAL

Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

CVSS v2

Not defined