CVE-2025-2777CRITICAL 9.8EPSS p99.5%

CVE-2025-2777CVE-2025-2777

Description

SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and file read primitives.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS79.13% probability of exploitation · percentile 99.5% · 2026-06-19T12:03:05Z
Published2025-05-07
Last modified2025-06-27

Underlying weaknesses· 1

CWE-611

References

  1. https://documentation.sysaid.com/docs/24-40-60
  2. https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/
  3. https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/

1

TypeTargetConfidenceTier
WeaknessImproper Restriction of XML External Entity Referencecwe-6110%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
CVE
SysAid Server Path Traversal Vulnerability
CVE
CVE-2022-22977
CVE
CVE-2026-22877
CVE
CVE-2026-8045
CVE
CVE-2025-22466
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.