CVE-2025-2777
CRITICAL WAF: High
CVSS 9.8
Published: 2025-05-07
CWE-611
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and file read primitives.
WAF Coverage Analysis
XML External Entity (XXE)
High WAF Coverage
OWASP: A05:2021 Security Misconfiguration
941xxx - XSS / XXE
Affected Software
| Vendor | Product | Version |
|---|---|---|
| sysaid | sysaid | up to 23.3.40 |
References
- documentation.sysaid.com (Release Notes)
- labs.watchtowr.com (Exploit, Third Party Advisory)