CVE-2025-2776

🗓️ 07 May 2025 14:50:40Reported by VulnCheckType

cve🔗 web.nvd.nist.gov📰️ 7 Media mentions👁 114 Views

SysAid On-Prem versions up to 23.3.40 have an unauthenticated XML External Entity vulnerability.

Reporter	Title	Published	Views	Family All 18
GithubExploit	Exploit for Improper Restriction of XML External Entity Reference in Sysaid	31 Aug 202513:23	–	githubexploit
Circl	CVE-2025-2776	7 May 202509:31	–	circl
CISA KEV Catalog	SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability	22 Jul 202500:00	–	cisa_kev
CISA	CISA Adds Four Known Exploited Vulnerabilities to Catalog	22 Jul 202512:00	–	cisa
CNNVD	SysAid On-Prem 安全漏洞	7 May 202500:00	–	cnnvd
Cvelist	CVE-2025-2776 SysAid On-Prem <= 23.3.40 serverurl Proceessing XML External Entity Injection	7 May 202514:50	–	cvelist
NCSC	Vulnerabilities fixed in SysAid On-Prem	8 May 202506:56	–	ncsc
Nuclei	SysAid On-Prem <= 23.3.40 - XML External Entity	3 Jun 202606:04	–	nuclei
NVD	CVE-2025-2776	7 May 202515:15	–	nvd
OSV	CVE-2025-2776	7 May 202515:15	–	osv

NVD

Vulners

CNA

Node

sysaid sysaidRange≤23.3.40on-premises

[
  {
    "defaultStatus": "affected",
    "modules": [
      "serverurl"
    ],
    "product": "SysAid On-Prem",
    "vendor": "SysAid",
    "versions": [
      {
        "lessThanOrEqual": "23.3.40",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
labs	www.labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/
documentation	www.documentation.sysaid.com/docs/24-40-60
cisa	www.cisa.gov/known-exploited-vulnerabilities-catalog

19 Nov 2025 18:33Current

9.3High risk

Vulners AI Score9.3

CVSS 3.19.3 - 9.8

EPSS0.62605

SSVC