December 10, 2023

A critical zero-day vulnerability was discovered in SysAid On-Prem software, a widely used IT service management (ITSM) solution. Now, researchers come up with a warning that threat actors have started exploiting the vulnerability.

The vulnerability tracked as CVE-2023-47246 could allow attackers to gain unauthorized access to affected systems and execute arbitrary code. The vulnerability was exploited by a group known as DEV-0950 (Lace Tempest).


The vulnerability is a path traversal vulnerability that allows attackers to upload malicious files to the SysAid Tomcat web service. Once uploaded, these files can be executed, giving the attacker complete control over the affected system. The attacker used two PowerShell scripts to carry out the attack: one to launch the malware loader and the other to erase evidence of the intrusion.

The CVE-2023-47246 vulnerability affects all SysAid On-Prem installations running versions before 23.3.36. SysAid Cloud customers are not affected by this vulnerability.

The attackers, identified as the DEV-0950 group, exploited the vulnerability to gain unauthorized access to affected systems. They uploaded a WAR archive containing a WebShell, a malicious script that provides attackers with remote control over the system.


Threat actors deployed a PowerShell script to execute a malware loader named user.exe, which in turn injected the GraceWire trojan into one of the following processes: spoolsv.exe, msiexec.exe, or svchost.exe. The attackers then utilized another PowerShell script to erase evidence of their activities.

To effectively mitigate the risk associated with this vulnerability, SysAid has released a patch, version 23.3.36. Organizations are strongly advised to update their SysAid systems to this latest version immediately. Additionally, conducting a thorough compromise assessment to identify any signs of intrusion is crucial.

Understanding the attack’s anatomy is crucial. Organizations must act as digital detectives, hunting for signs of intrusion in the Tomcat web service’s webroot, monitoring for WebShell deployments, and analyzing PowerShell execution logs for anomalies. The malicious ‘user.exe’ loader, which targets specific processes such as ‘spoolsv.exe,’ ‘msiexec.exe,’ and ‘svchost.exe,’ must be sought out and neutralized.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.