cbcvebase.
CVE-2023-47246
published 2023-11-10

CVE-2023-47246: In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-12-04
Exploited in the wild
EPSS
98.85%
99.9th percentile
In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.

Affected

1 ranges
VendorProductVersion rangeFixed in
sysaidsysaid< 23.3.3623.3.36

Detection & IOCsextracted from sources · hover to see the quote

filenameuser.exe
filenameuserfiles.war
filename.bin
  • Detect child processes spawned under java.exe executing encoded PowerShell — a key indicator of post-exploitation activity on SysAid servers.
  • Monitor for WAR file creation in the SysAid Tomcat webroot (C:\Program Files\SysAidServer\tomcat\webapps\) as an indicator of webshell deployment via path traversal.
  • Hunt for POST requests to the SysAid UserEntry endpoint with path traversal sequences (e.g., /../) in the accountID parameter, carrying a zlib-compressed WAR file body.
  • Detect log-tampering activity: PowerShell removing entries matching log4j and Tomcat log patterns from SysAid Server and Tomcat log files to cover exploitation tracks.
  • Use Zscaler/IDS signature 930110 (Path Traversal Attack /../ Decoded Payloads) to detect exploitation attempts against the SysAid UserEntry endpoint.
  • ·The PowerShell AV-evasion routine only checks for processes beginning with 'Sophos' — it does not attempt to kill the process, it simply exits the routine. Other AV products are not checked and will not trigger this evasion.
  • ·The 64-character hexadecimal command-line argument passed to user.exe (GraceWire) was not documented in the SysAid or Profero advisories; it is likely a victim identifier or unique decryption key and may vary per target.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.