CVE-2023-47246

What is SysAid Server?

SysAid is an IT Service Management (ITSM) platform widely used by enterprises, universities, and managed service providers to manage help desk tickets, IT assets, and service requests. The on-premises version (SysAid Server) runs as a Java/Tomcat web application on internal servers, often with broad access to internal IT systems — including integrations with Active Directory, endpoint management tools, and remote access capabilities used to service help desk tickets. Because ITSM platforms have privileged access to IT infrastructure (to provision users, access devices remotely, and manage assets), their compromise provides a powerful pivot point for lateral movement and privilege escalation within an organization.

Overview

CVE-2023-47246 is a critical path traversal vulnerability in SysAid Server (on-premises) that allows an unauthenticated attacker to upload arbitrary files to the Tomcat webroot directory, enabling JSP webshell deployment and full remote code execution. Discovered by Microsoft Threat Intelligence, it was actively exploited by Lace Tempest (TA505) — the threat actor behind Cl0p ransomware — as part of targeted ransomware campaigns. SysAid patched the vulnerability (version 23.3.36) and CISA added it to KEV within three days of public disclosure.

Affected Versions

Technical Details

CWE-22 (Path Traversal). The SysAid Server application contains a file upload endpoint that does not properly validate the destination path of uploaded files. An unauthenticated attacker can send a crafted request with a path traversal sequence in the upload destination parameter to write files to arbitrary locations accessible by the Tomcat web server process — specifically to Tomcat's webroot directory, which serves JSP pages.

The exploitation chain observed in the wild:

1. Send a crafted upload request with a traversal path pointing to the Tomcat webroot
2. Upload a JSP webshell (e.g., GraceWire malware loader or a generic webshell)
3. Access the uploaded JSP via HTTP to execute arbitrary OS commands
4. Use the RCE to deploy Cobalt Strike or other post-exploitation tools
5. Lateral movement and eventual ransomware deployment via Cl0p

Microsoft Threat Intelligence found Lace Tempest using this chain to deploy GraceWire — a malware loader associated with the Cl0p ransomware group — before moving laterally to encrypt enterprise file systems.

Discovery

Discovered by Microsoft Threat Intelligence (MSTIC), which identified Lace Tempest exploitation in the wild and notified SysAid on November 8, 2023. SysAid patched the following day. This timeline mirrors Lace Tempest's prior campaigns: the same group exploited MOVEit Transfer (CVE-2023-34362) in May 2023 to conduct mass data theft, and exploited GoAnywhere (CVE-2023-0669) in February 2023 in similar supply-chain style campaigns. Lace Tempest repeatedly identifies and weaponizes vulnerabilities in enterprise file transfer and IT management software.

Exploitation Context

Lace Tempest (also tracked as TA505, FIN11, DEV-0950) is a prolific financially-motivated threat actor closely associated with Cl0p ransomware operations. They specialize in exploiting vulnerabilities in enterprise file transfer and ITSM software to achieve broad access within target organizations before deploying ransomware or conducting mass data theft for extortion. SysAid's broad deployment in enterprise IT environments — and its privileged access to endpoints and systems — made it an ideal target for this campaign pattern.

CISA's 3-day KEV timeline reflects the confirmed active exploitation and Lace Tempest's established pattern of rapid, widespread exploitation of newly disclosed vulnerabilities.

Remediation

1. Upgrade SysAid Server to version 23.3.36 or later immediately.
2. Check for indicators of compromise: look for unexpected JSP files in the SysAid Tomcat webroot directory, particularly files recently created or modified.
3. Review SysAid web server access logs for POST requests to file upload endpoints from unexpected source IPs and for HTTP GET requests to unexpected JSP paths.
4. Search for GraceWire and Cobalt Strike indicators on the SysAid server host and connected systems — Lace Tempest deploys these before broader ransomware deployment.
5. If compromise is suspected, isolate the SysAid server immediately and engage incident response — SysAid's ITSM integrations may provide the attacker with privileged access to AD, endpoints, and infrastructure credentials.
6. After remediation, rotate all credentials accessible from the SysAid server: Active Directory service accounts, database passwords, and remote access credentials used for ticket resolution.