CVE-2023-47246: 0-day Remote Code Execution Vulnerability Actively Exploited in SysAid On-Premises

Share :

On November 2, 2023, SysAid was notified by Microsoft of a zero-day path traversal vulnerability allowing for remote code execution, which affects their on-premises ITSM solution. In the investigation conducted by SysAid, it was determined that the vulnerability was being actively exploited by a ransomware affiliate group known as Lace Tempest (DEV-0950), a group known for deploying the CL0P ransomware payload. SysAid proceeded to issue a security advisory on November 8, 2023 regarding the vulnerability, which was designated as CVE-2023-47246. 

In the investigation of this campaign by SysAid, threat actors leveraged this vulnerability to deploy a WAR archive containing a webshell to a vulnerable server. Subsequently, the threat actors were observed injecting the GraceWire trojan into a system process. They were also observed tampering with application logs to cover their tracks. 

Arctic Wolf has detections in place to detect common post-compromise activities involved in ransomware campaigns, such as the unusual PowerShell activity described here, as well as detections for the specific indicators of compromise that have been reported. Arctic Wolf will alert observed malicious activity associated with this campaign as part of the Managed Detection and Response service. 

Because this vulnerability is being actively exploited by a ransomware group, Arctic Wolf strongly recommends updating to a fixed version of SysAid as soon as possible. 

Recommendations for CVE-2023-47246

Recommendation: Upgrade to a fixed version of SysAid 

For any customers running the on-premises version of SysAid, the company recommends upgrading to a fixed version as soon as possible, as outlined in the table below. 


Product  Affected Version  Fixed Version 
SysAid On-prem  Versions prior to 23.3.36  23.3.36 


Please follow your organization’s patching and testing guidelines to avoid any operational impact. 


Picture of Adrian Korn

Adrian Korn

Adrian Korn is a seasoned cyber security professional with 7+ years' experience in cyber threat intelligence, threat detection, and security operations. He currently serves as the Manager of Threat Intelligence Research at Arctic Wolf Labs. Adrian has been a guest speaker on intelligence related topics at numerous conferences around the world, including DEF CON's Recon Village, Hackfest, and the Australian OSINT Symposium.
Share :
Table of Contents
Subscribe to our Monthly Newsletter