CVE-2025-2775

CRITICAL KEV NUCLEI

SysAid On-Prem <= 23.3.40 - XML External Entity

Title source: nuclei
STIX 2.1

Exploitation Summary

CVE-2025-2775 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added July 22, 2025. EIP tracks 3 public exploits from researchers including iSee857, watchtowrlabs, cybersecplayground. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a functional exploit PoC for CVE-2026-22812, targeting OpenCode for remote command execution (RCE). The script demonstrates the vulnerability by creating a session and executing the 'id' command, confirming RCE via the presence of 'uid=' and 'gid=' in the response.

Description

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.

Exploits (3)

github WORKING POC 40 stars
by iSee857 · pythonpoc
https://github.com/iSee857/CVE-PoC/tree/main/SysAidOn-Prem-CVE-2025-2775-XmlExternalEntity.py

The repository contains a functional exploit PoC for CVE-2026-22812, targeting OpenCode for remote command execution (RCE). The script demonstrates the vulnerability by creating a session and executing the 'id' command, confirming RCE via the presence of 'uid=' and 'gid=' in the response.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: OpenCode (version not specified)
No auth needed
Prerequisites: Network access to the target · OpenCode service running and accessible
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 12 stars
by watchtowrlabs · remote
https://github.com/watchtowrlabs/watchTowr-vs-SysAid-PreAuth-RCE-Chain

This is a functional proof-of-concept exploit for a pre-authentication RCE chain in SysAid, leveraging XXE for credential leakage and command injection for remote code execution. The exploit chains multiple CVEs (CVE-2025-2775, CVE-2025-2776, CVE-2025-2777, CVE-2025-2778) to achieve unauthenticated remote command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SysAid <= 23.3.40
No auth needed
Prerequisites: Network access to the target SysAid server · Attacker-controlled server to host malicious DTD and receive exfiltrated data
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WRITEUP 7 stars
by cybersecplayground · poc
https://github.com/cybersecplayground/PoC-and-CVE-Reports/tree/main/2025/CVE-2025-2775_CVE-2025-2776_CVE-2025-2777.md

The repository contains detailed technical writeups for multiple CVEs, including command injection, XXE, SQLi, and RCE vulnerabilities. Each writeup includes vulnerability overviews, proof-of-concept details, and mitigation recommendations.

Classification
Writeup 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Various (e.g., account_mgr.cgi, Ivanti Connect Secure, Zabbix, Check Point VPN, Bricks Builder)
No auth needed
Prerequisites: Access to vulnerable endpoints · Basic understanding of exploit techniques
devstral-2 · analyzed Feb 27, 2026 Full analysis →

Nuclei Templates (1)

SysAid On-Prem <= 23.3.40 - XML External Entity
CRITICALby johnk3r
Shodan: http.favicon.hash:"1540720428"
FOFA: icon_hash=1540720428

References (3)

Core 3

Scores

CVSS v3 9.3
EPSS 0.6926
EPSS Percentile 98.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact partial

Details

CISA KEV 2025-07-22
VulnCheck KEV 2025-05-19
ENISA EUVD EUVD-2025-13878
CWE
CWE-611
Status published
Products (1)
sysaid/sysaid < 23.3.40
Published May 07, 2025
KEV Added Jul 22, 2025
Tracked Since Feb 18, 2026