Customer portal
Flash Alert

Flash Alert – Zero-day vulnerability in SysAid IT support software

CVE-2023-47246

CVSS: TBD

Research by Microsoft Threat Intelligence has identified a vulnerability in SysAid IT On-Premise software, documented as CVE-2023-47246. The vulnerability allows a threat actor to leverage path traversal in order to execute their own code within the target system.

It has been identified that the threat actor Lace Tempest has exploited the vulnerability by uploading a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service. The full directory path was:

C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\

The deployed WebShell granted the threat actor unauthorised access and control. Once established, they utilised PowerShell scripts to run a malware loader (with filename user.exe). This was in turn used to deploy the GraceWire Trojan, which was injected into one of the following running processes:

  • spoolsv.exe
  • msiexec.exe
  • svchost.exe

Once GraceWire was deployed, a second PowerShell script was executed to erase evidence of the threat actor’s presence from the disk and associated web logs.

Lace Tempest has previously been observed utilising the MOVEit vulnerability in June 2023, and deploying Cl0p ransomware.

Given the severity of the vulnerability, it is recommended that steps are taken immediately to deploy patches issued by SysAid.  Vulnerable users of the software should also review systems for evidence of prior exploitation.  Further details can be found on the SysAid blog here.

For further information on CL0P’s recent activities and other ransomware blogs check out my latest Ransomware statistics article here.

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from - Youtube
Vimeo
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Spotify
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound