CVE-2025-2776

What is SysAid On-Prem?

SysAid is an IT service management (ITSM) platform used for IT help desk ticketing, asset management, and endpoint management. SysAid On-Prem runs as a Java web application and is frequently internet-accessible for remote IT support. SysAid has been targeted before: CVE-2023-47246 was exploited by Cl0p ransomware in November 2023.

Overview

CVE-2025-2776 is the second pre-authentication XXE vulnerability (CWE-611) in SysAid On-Prem, exploitable via the /mdm/serverurl endpoint — a different URL path than companion CVE-2025-2775 (/mdm/checkin) but the same underlying vulnerable code. Together, the two XXE paths ensure that even if one URL is blocked, the other remains usable. Both are part of the "SysOwned" attack chain discovered by WatchTowr Labs, which chains the XXE-based credential extraction with CVE-2024-36394 (command injection) to achieve unauthenticated SYSTEM-level RCE.

Affected Versions

Technical Details

The same GetMdmMessage#doPost method that handles /mdm/checkin (CVE-2025-2775) also handles requests routed through /mdm/serverurl. Both paths call PropertyListParser.parse() on the unvalidated POST body without disabling XML external entity processing, enabling the same XXE attack primitives: arbitrary file read and SSRF.

The Server URL endpoint was originally designed to allow MDM-enrolled devices to configure their server connection URL. The attacker exploits it by sending a crafted Apple plist XML body with a DOCTYPE containing an external entity reference.

SysOwned chain (same as CVE-2025-2775):

1. CVE-2025-2775 or CVE-2025-2776 (this CVE): Unauthenticated XXE → extract plaintext admin credentials from InitAccount.cmd
2. CVE-2024-36394: Use extracted credentials for OS command injection → SYSTEM shell

Both CVEs must be patched to close both XXE entry points. Patching only one leaves the chain exploitable via the other endpoint.

Discovery

WatchTowr Labs researchers Sina Kheirkhah and Jake Knott, published as "SysOwned — Your Friendly Support Ticket" (May 2025).

Exploitation Context

CISA added CVE-2025-2775 and CVE-2025-2776 simultaneously to the KEV catalog on July 22, 2025. The parallel disclosure of two XXE vulnerabilities in the same code path reflects how a single vulnerable function can be reached from multiple URL routes — a common pattern in enterprise Java applications that route requests to handler classes.

Remediation

1. Upgrade to SysAid On-Prem 24.4.60. The CISA deadline was August 12, 2025.
2. Delete InitAccount.cmd from the SysAid installation directory — this plaintext credential file is the target of the XXE exfiltration step.
3. Change the SysAid administrator password if the server was internet-exposed prior to patching.
4. Apply the fix for CVE-2024-36394 to close the command injection in the full chain.
5. Block both MDM endpoints at the firewall (/mdm/checkin and /mdm/serverurl) if MDM functionality is not in use.
6. Review MDM endpoint access logs for POST requests from unexpected external sources.