A critical vulnerability (CVE-2025-2777) in SysAid On-Prem versions ≤23.3.40 allows unauthenticated attackers to exploit XML External Entity (XXE) processing in the /lshw endpoint, leading to administrator account compromise and file read access. With a CVSS score of 9.3, this flaw is part of a broader exploit chain (CVE-2025-2775/2776/2778) enabling pre-authenticated remote code execution (RCE). Patches were released in March 2025 (v24.4.60), but unpatched systems remain at high risk due to rapid weaponization trends.
Technical Analysis of CVE-2025-2777
The vulnerability stems from improper XML parsing in SysAid’s /lshw endpoint, which processes hardware inventory data. Attackers can inject malicious XML entities to exfiltrate files like C:/SysAid/conf/InitAccount.cmd, containing plaintext admin credentials. A proof-of-concept payload demonstrates the XXE exploitation:
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///C:/SysAid/conf/InitAccount.cmd">]>
<request>&xxe;</request>Successful exploitation grants access to the API.jsp component (CVE-2025-2778), where the javaLocation parameter allows command injection. Combined, these flaws enable full system compromise via a single network request.
Exploit Chain and Threat Context
Threat actors have leveraged similar XXE vulnerabilities in Ivanti ICS (CVE-2025-0282) to deploy DslogdRAT malware, as documented by JPCERT/CC1. SysAid’s flaws follow this pattern, with VulnCheck reporting 28.3% of Q1 2025 CVEs exploited within 24 hours of disclosure2.
| Related CVEs | Impact |
|---|---|
CVE-2025-2775 (/mdm/checkin) |
XXE via mobile device management |
CVE-2025-2776 (/mdm/serverurl) |
XXE in server URL configuration |
CVE-2025-2778 (API.jsp) |
Post-auth RCE via javaLocation |
Mitigation and Detection
SysAid recommends immediate upgrade to v24.4.60 and disabling XML external entity processing. Detection should focus on:
- HTTP requests to
/lshwwith XML payloads - Process spawns from
API.jsp - Credential access events from
InitAccount.cmd
Network segmentation and least-privilege service accounts can limit lateral movement. watchTowr Labs has published detection signatures for the exploit chain3.
Conclusion
CVE-2025-2777 represents a critical risk to unpatched SysAid On-Prem systems, with demonstrated exploit chains leading to RCE. Organizations should prioritize patching and monitor for related IOCs, particularly given the historical rapid exploitation of similar vulnerabilities in enterprise software.
References
- “DslogdRAT malware deployed via Ivanti ICS flaws,” JPCERT/CC Report, Apr. 2025.
- “159 CVEs exploited in Q1 2025,” VulnCheck Report, Apr. 2025.
- watchTowr Labs Exploit Chain, GitHub, Mar. 2025.
- NVD CVE-2025-2777, NIST, May 2025.
