CVE-2025-2775

What is SysAid On-Prem?

SysAid is an IT service management (ITSM) platform used by organizations to manage IT help desk ticketing, asset management, and endpoint management. The on-premises version runs as a Java web application (often on Windows Server) and is frequently accessible from the internal network and sometimes from the internet for remote IT support. SysAid has been targeted before: CVE-2023-47246 was a critical path traversal zero-day exploited by the Cl0p ransomware group in November 2023 to compromise dozens of organizations.

Overview

CVE-2025-2775 is a pre-authentication XML external entity injection (XXE, CWE-611) in SysAid On-Prem's MDM (Mobile Device Management) Checkin endpoint (/mdm/checkin). The endpoint parses XML POST bodies using PropertyListParser.parse() without disabling external entity resolution, enabling unauthenticated file exfiltration and SSRF. When combined with companion CVE-2025-2776 (XXE in the Server URL endpoint) and CVE-2024-36394 (post-auth OS command injection), the full "SysOwned" chain achieves SYSTEM-level RCE without any credentials.

Affected Versions

Technical Details

The MDM Checkin endpoint (/mdm/checkin) accepts XML-formatted device check-in data (Apple Property List format) in HTTP POST bodies. The GetMdmMessage#doPost method passes the raw POST body to PropertyListParser.parse() — a Java library for parsing Apple's plist format — without disabling XML external entity (XXE) processing.

An attacker sends a crafted plist XML body containing a DOCTYPE declaration that defines an external entity referencing an attacker-controlled server or a local file path. When the parser fetches the external entity, it either:

• Exfiltrates file contents by embedding the file reference as an entity that appears in the parsed output (out-of-band or in-band XXE)
• Performs SSRF by making the server fetch attacker-controlled URLs, enabling internal network probing

SysOwned full attack chain:

1. CVE-2025-2775 (this CVE): Unauthenticated XXE via /mdm/checkin → read InitAccount.cmd containing plaintext admin credentials
2. CVE-2025-2776: Alternate XXE via /mdm/serverurl for the same credential extraction
3. CVE-2024-36394: Post-auth OS command injection using the extracted credentials → SYSTEM shell

The InitAccount.cmd file stores SysAid's initial administrator password in plaintext during installation, often never removed from the filesystem after setup.

Discovery

WatchTowr Labs researchers Sina Kheirkhah (@SinSinology) and Jake Knott (@inkmoro), published as "SysOwned — Your Friendly Support Ticket" in May 2025, coordinated with SysAid's March 2025 patch release.

Exploitation Context

CISA added CVE-2025-2775 and CVE-2025-2776 to the KEV catalog simultaneously on July 22, 2025, confirming active exploitation in the wild. No specific threat actor was named. SysAid's prior exploitation history (Cl0p ransomware via CVE-2023-47246) makes it a high-profile target for ransomware operators.

Remediation

1. Upgrade to SysAid On-Prem 24.4.60 immediately. The CISA deadline was August 12, 2025.
2. Delete InitAccount.cmd from the SysAid installation directory if it exists — this file contains plaintext credentials used in the SysOwned chain. Search for it in the SysAid installation path (typically C:\Program Files\SysAid\ or similar).
3. Change the SysAid administrator password immediately, even if you've patched — if InitAccount.cmd existed and the server was internet-exposed, assume the credentials were extracted.
4. Apply the fix for CVE-2024-36394 (if not already patched) to close the command injection step in the full chain.
5. Restrict internet access to the SysAid web application — if remote IT support access is required, place it behind a VPN or IP allowlist.
6. Review MDM endpoint logs for unexpected POST requests to /mdm/checkin and /mdm/serverurl from external IP addresses.