—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

XML External Entity (XXE) vulnerability in SysAid On Prem 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

SysAid On-Prem versions version 23.3.40 and prior

Overview

A vulnerability has been reported in SysAid On Prem which could allow a remote attacker to access sensitive files and potentially compromise administrator accounts.

Target Audience:

Individuals and end-user organisations using affected SysAid On-Prem.

Risk Assessment:

High risk of sensitive data disclosure and take full control of the affected system.

Impact Assessment:

Potential for system compromise and service disruptions.

Description

SysAid is an IT Service Management (ITSM) platform that uses generative AI to help organizations streamline IT help desk operations and manage service delivery.

This vulnerability exists in SysAid On Prem due to improper restriction of XML External Entity (XXE) references during XML parsing.

Successful exploitation of this vulnerability could allow a remote attacker to read files and gain administrative privileges on the affected SysAid On-Prem instance.

Note: This vulnerability (CVE-2025-2776) is being exploited in the wild. Users are advised to apply patches urgently.

Solution

Apply appropriate updates as released by the vendor:

https://documentation.sysaid.com/docs/24-40-60

Vendor Information

SysAid

https://documentation.sysaid.com/docs/24-40-60

References

SysAid

https://documentation.sysaid.com/docs/24-40-60

CVE Name

CVE-2025-2776

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmjlE40ACgkQ3jCgcSdc

ys+z2Q//eGQfwxehX60K3v/OGWlSbhWrVwGt5KJY9VqOHzgocm9ujBhxyMp2CDDe

g+KACDc5sy9yaf1DnK0nZvOaKgt7U/V796YQBXHslv1CJ7rqYM98uJ+uSoNafq0q

wbNHhdZ0ZV5rLlwAeD6j5kamdkBISL5QFGdQVfQwmYeJqZeDlIA9PJTPThLSZvjk

ttbI8tAifT4KmyZlGCgU8Lz7sw8RtzdjXHL44SrGNtLRFPNFLC+AIIPAIvD31UiR

xWm1mwGh2cA2ZWcfnHc6UoKbsV7CYUrLLxMx4ZBaOkNYGQ48cmeHNIwm8nN7tB2L

RBi6au4IPRapQmQsNZBVBRz4nw17qZrWIKTPbzAT5LNngQhUE6rWdTl5Wm9zmmk6

1A2mbpDTHaPZ3Cw6kNGPI93pZGSIsaX2Awf6e/p/rw1eWKxgy28zsZDR6Ap8dROv

cFePAPURz6LYaumSEQHCtQWCtTF0rN6phymPAtZhsPV22KqUDB7l5MJ7lV1x46ts

JRs/h807AE/7w2vVRxiMU3ZkwJwKRWjNLhGx2gy9kwOWyjEmkIznBjqw0JjBqx8T

jqtC7S5NafHVFszXoJiE3Q25lDnIn8/kA3r7MrNQoKvwVAmFHcbAOv8UaPLWVFFl

yBh4Ba5mSkZA1ewYZ7UxzDGzVDxuPYHOPIJuzkRHOldj6NzcDPE=

=XvcG

—–END PGP SIGNATURE—–