CVE-2023-47246
published 2023-11-10CVE-2023-47246: In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-12-04
Exploited in the wild
EPSS
98.85%
99.9th percentile
In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sysaid | sysaid | < 23.3.36 | 23.3.36 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect child processes spawned under java.exe executing encoded PowerShell — a key indicator of post-exploitation activity on SysAid servers. ↗
- →Monitor for WAR file creation in the SysAid Tomcat webroot (C:\Program Files\SysAidServer\tomcat\webapps\) as an indicator of webshell deployment via path traversal. ↗
- →Hunt for POST requests to the SysAid UserEntry endpoint with path traversal sequences (e.g., /../) in the accountID parameter, carrying a zlib-compressed WAR file body. ↗
- →Detect log-tampering activity: PowerShell removing entries matching log4j and Tomcat log patterns from SysAid Server and Tomcat log files to cover exploitation tracks. ↗
- →Use Zscaler/IDS signature 930110 (Path Traversal Attack /../ Decoded Payloads) to detect exploitation attempts against the SysAid UserEntry endpoint. ↗
- ·The PowerShell AV-evasion routine only checks for processes beginning with 'Sophos' — it does not attempt to kill the process, it simply exits the routine. Other AV products are not checked and will not trigger this evasion. ↗
- ·The 64-character hexadecimal command-line argument passed to user.exe (GraceWire) was not documented in the SysAid or Profero advisories; it is likely a victim identifier or unique decryption key and may vary per target. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w3gp-79x2-f8rp: In SysAid On-Premise before 23
ghsa_unreviewed·2023-11-10
CVE-2023-47246 [CRITICAL] CWE-22 GHSA-w3gp-79x2-f8rp: In SysAid On-Premise before 23
In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.
VulnCheck
SysAid Server Path Traversal Vulnerability
vulncheck·2023·CVSS 9.8
CVE-2023-47246 [CRITICAL] CWE-22 SysAid Server Path Traversal Vulnerability
SysAid Server Path Traversal Vulnerability
SysAid Server (on-premises version) contains a path traversal vulnerability that leads to code execution.
Affected: SysAid SysAid Server
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification; https://x.com/MsftSecIntel/status/1722444144285560867; https://x.com/msftsecintel/status/1722444141081076219; https://www.cve.org/CVERecord?id=CVE-2023-47246; https://www.huntress.com/blog/critical-vulnerability-sysaid-cve-2023-47246; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://ww
CISA
SysAid Server Path Traversal Vulnerability
cisa·2023-11-13·CVSS 9.8
CVE-2023-47246 [CRITICAL] CWE-22 SysAid Server Path Traversal Vulnerability
Vulnerability: SysAid Server Path Traversal Vulnerability
Affected: SysAid SysAid Server
SysAid Server (on-premises version) contains a path traversal vulnerability that leads to code execution.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification; https://nvd.nist.gov/vuln/detail/CVE-2023-47246
Remediation Due Date: 2023-12-04
Suricata
ET EXPLOIT SysAid Traversal Attack (CVE-2023-47246)
suricata·2023-11-27·CVSS 9.8
CVE-2023-47246 [CRITICAL] ET EXPLOIT SysAid Traversal Attack (CVE-2023-47246)
ET EXPLOIT SysAid Traversal Attack (CVE-2023-47246)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SysAid Traversal Attack (CVE-2023-47246)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/userentry?accountId="; nocase; fast_pattern; pcre:"/^[^&]+\x2e(?:\x2e|\x2f)/Ri"; http.request_body; content:"|78 9c|"; startswith; reference:url,www.huntress.com/blog/critical-vulnerability-sysaid-cve-2023-47246; reference:url,profero.io/posts/sysaidonpremvulnerability/; reference:url,swww.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification; reference:cve,2023-47246; classtype:attempted-admin; sid:2049295; rev:1; metadata:attack_target Web_Server, created_at 2023_11_27, cve CVE_2023_47246, deployment Perimeter, de
Suricata
ET EXPLOIT Possible SysAid Traversal Attack (CVE-2023-47246)
suricata·2023-11-10·CVSS 9.8
CVE-2023-47246 [CRITICAL] ET EXPLOIT Possible SysAid Traversal Attack (CVE-2023-47246)
ET EXPLOIT Possible SysAid Traversal Attack (CVE-2023-47246)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible SysAid Traversal Attack (CVE-2023-47246)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"accountid="; fast_pattern; nocase; pcre:"/^[^&]+\x2e(?:\x2e|\x2f)/Ri"; reference:url,www.huntress.com/blog/critical-vulnerability-sysaid-cve-2023-47246; reference:url,profero.io/posts/sysaidonpremvulnerability/; reference:url,swww.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification; reference:cve,2023-47246; classtype:attempted-admin; sid:2049147; rev:2; metadata:attack_target Web_Server, created_at 2023_11_10, cve CVE_2023_47246, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, conf
Nuclei
SysAid Server - Remote Code Execution
nuclei·CVSS 9.8
CVE-2023-47246 [CRITICAL] SysAid Server - Remote Code Execution
SysAid Server - Remote Code Execution
In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.
Template:
id: CVE-2023-47246
info:
name: SysAid Server - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.
remediation: |
Apply the latest security patches and updates from the vendor to address this vulnerability.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affe
Zscaler
Cisco Firewall and VPN Zero Day Attacks | ThreatLabz
blogs_zscaler·2025-09-26·CVSS 9.9
[CRITICAL] Cisco Firewall and VPN Zero Day Attacks | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Bleepingcomputer
CISA warns of hackers exploiting SysAid vulnerabilities in attacks
blogs_bleepingcomputer·2025-07-23·CVSS 9.8
CVE-2025-2775 [CRITICAL] CISA warns of hackers exploiting SysAid vulnerabilities in attacks
## CISA warns of hackers exploiting SysAid vulnerabilities in attacks
## Sergiu Gatlan
CISA has warned that attackers are actively exploiting two security vulnerabilities in the SysAid IT service management (ITSM) software to hijack administrator accounts.
The two unauthenticated XML External Entity (XXE) flaws, tracked as CVE-2025-2775 and CVE-2025-2776, were reported by watchTowr Labs security researchers in December 2024 and patched in March with the release of SysAid On-Prem version 24.4.60.
One month later, watchTowr Labs also published proof-of-concept code , showing that the SysAid vulnerabilities are trivial to exploit and allow attackers to retrieve local files containing sensitive information.
While CISA didn't share any additional details regarding these ongoing attacks, it
Zscaler
ScreenConnect Vulnerabilities | ThreatLabz
blogs_zscaler·2024-03-11·CVSS 10.0
[CRITICAL] ScreenConnect Vulnerabilities | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
CVE-2023-47246 | ThreatLabz
blogs_zscaler·2023-11-15·CVSS 9.8
[CRITICAL] CVE-2023-47246 | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Huntress
Critical Vulnerability: SysAid CVE-2023-47246 | Huntress
blogs_huntress·2023-11-10·CVSS 9.8
[CRITICAL] Critical Vulnerability: SysAid CVE-2023-47246 | Huntress
On November 8, 2023, SysAid published an advisory expressing that their on-premise server software had a previously undisclosed vulnerability and is aware of public in-the-wild exploitation. Days prior, Microsoft had notified SysAid of this issue and that they attributed these compromises to TA505 “Lace Tempest”, often known as the cl0p ransomware gang .
Huntress has investigated recent intrusions within our partner environments, notified impacted organizations, and recreated the attack chain with a proof-of-concept exploit to develop new detection capabilities for our managed security platform.
Currently, the latest version of SysAid Server 23.3.36 is the recommended patch and update that we strongly urge you to install as soon as possible .
This critical vulnerability has been designa
Bleepingcomputer
Microsoft: SysAid zero-day flaw exploited in Clop ransomware attacks
blogs_bleepingcomputer·2023-11-09·CVSS 9.8
[CRITICAL] Microsoft: SysAid zero-day flaw exploited in Clop ransomware attacks
## Microsoft: SysAid zero-day flaw exploited in Clop ransomware attacks
## Bill Toulas
Threat actors are exploiting a zero-day vulnerability in the service management software SysAid to gain access to corporate servers for data theft and to deploy Clop ransomware.
SysAid is a comprehensive IT Service Management (ITSM) solution that provides a suite of tools for managing various IT services within an organization.
The Clop ransomware is notorious for exploiting zero-day vulnerabilities in widely used software. Recent examples include MOVEit Transfer , GoAnywhere MFT , and Accellion FTA .
Currently identified as CVE-2023-47246, the vulnerability was discovered on November 2 after hackers exploited it to breach on-premise SysAid servers.
The Microsoft Threat Intelligence team discovered
Recorded Future
Why Patch Management Isn’t Enough: SharePoint, Webshells & the Modern Threat Landscape
blogs_recorded_future
Why Patch Management Isn’t Enough: SharePoint, Webshells & the Modern Threat Landscape
# Patch management glazing won't save you
## SharePoint, webshells, and the intelligence advantage
AI render of compliance progress while adversaries insert webshells.
Everyone is tired of reading about yet another Microsoft SharePoint vulnerability, and understandably so. Each new critical SharePoint flaw (often enabling remote code execution) brings a sense of déjà vu and patch fatigue. Depending on how you want to snap the chalk line, since the SharePoint platform debuted in 2001, there have been at least ~700 distinct CVE-listed vulnerabilities (CVE != exploit count; includes “Server,” “Foundation,”
“Online,” etc.). Roughly a third of those vulnerabilities were published after 2020, most likely due to larger bug-hunting incentives and better tools (particularly AI-assisted fuzzers).
Huntress
Critical Vulnerability: SysAid CVE-2023-47246 | Huntress
blogs_huntress·CVSS 9.8
CVE-2023-47246 [CRITICAL] Critical Vulnerability: SysAid CVE-2023-47246 | Huntress
On November 8, 2023, SysAid published an advisory expressing that their on-premise server software had a previously undisclosed vulnerability and is aware of public in-the-wild exploitation. Days prior, Microsoft had notified SysAid of this issue and that they attributed these compromises to TA505 “Lace Tempest”, often known as the cl0p ransomware gang.
Huntress has investigated recent intrusions within our partner environments, notified impacted organizations, and recreated the attack chain with a proof-of-concept exploit to develop new detection capabilities for our managed security platform.
Currently, the latest version of SysAid Server 23.3.36 is the recommended patch and update that we strongly urge you to install as soon as possible.
This critical vulnerability has been designate
Greynoiseio
Using GreyNoise EAP Sensors For Novel Exploitation Discovery For CVE-2023-47246
blogs_greynoiseio·CVSS 9.8
[CRITICAL] Using GreyNoise EAP Sensors For Novel Exploitation Discovery For CVE-2023-47246
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
Storm Watch
blogs_greynoiseio
Storm Watch
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
Why Patch Management Isn’t Enough: SharePoint, Webshells & the Modern Threat Landscape
blogs_recorded_future
Why Patch Management Isn’t Enough: SharePoint, Webshells & the Modern Threat Landscape
## Patch management glazing won't save you
Everyone is tired of reading about yet another Microsoft SharePoint vulnerability, and understandably so. Each new critical SharePoint flaw (often enabling remote code execution) brings a sense of déjà vu and patch fatigue. Depending on how you want to snap the chalk line, since the SharePoint platform debuted in 2001, there have been at least ~700 distinct CVE-listed vulnerabilities (CVE != exploit count; includes “Server,” “Foundation,” “Online,” etc.). Roughly a third of those vulnerabilities were published after 2020, most likely due to larger bug-hunting incentives and better tools (particularly AI-assisted fuzzers).
However , these recurring incidents carry valuable big-picture risk lessons . Dismissing these incidents as routine misses pr
https://documentation.sysaid.com/docs/latest-version-installation-fileshttps://documentation.sysaid.com/docs/on-premise-security-enhancements-2023https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notificationhttps://documentation.sysaid.com/docs/latest-version-installation-fileshttps://documentation.sysaid.com/docs/on-premise-security-enhancements-2023https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notificationhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-47246
2023-11-10
Published
2023-11-13
Added to CISA KEV
Exploited in the wild