December 12, 2023

Security researchers from Huntress published the technical details and will release an exploit targeting a vulnerability chain for gaining remote code execution on unpatched SysAid IT support software.

SysAid, a beacon of support for IT infrastructures, released an advisory that pierced the veil on a previously hidden vulnerability. This disclosure came on the heels of an alert from Microsoft, which revealed that the notorious TA505, also dubbed “Lace Tempest” and linked to the cl0p ransomware syndicate, was exploiting this weakness in the wild.


The vulnerability, catalogued as CVE-2023-47246, is a path traversal flaw that can be exploited to execute code within on-premises installations of SysAid’s software – a flaw that has since been sealed off in version 23.3.36 of the platform.

The modus operandi of the threat actor was methodical and alarming. They were observed uploading a WAR archive – a trojan horse bearing a web shell and other malicious payloads – into the SysAid Tomcat web service. This web shell not only served as a clandestine backdoor into the host but also as a conduit for a PowerShell script designed to invoke a loader for Gracewire, a notorious malware.

Team Huntress warned SysAid admits that they’ve been able to create an exploit that chains the CVE-2023-47246 flaw to execute code remotely.

As per the researchers, The vulnerability exists in the doPost method within the SysAid com.ilient.server.UserEntry class. By injecting a path traversal into the accountID parameter and supplying a zlib compressed WAR file webshell as the POST request body, an attacker can control where this webshell is written on the vulnerable server. The attacker can then request the webshell by browsing to the URL where it now resides to gain access to the server,”.


The presence of SysAid servers is evident by a Shodan query revealing over 230 instances visible to the public eye. A more expansive query unveils just under 900 instances, a testament to SysAid’s widespread deployment.

While not every public server stands exposed to this threat, the evidence of SysAid’s digital footprint is undeniable. This revelation serves as a clarion call to SysAid admins, it is important to upgrade to the latest version as soon as possible.

Indicators Of Compromise

  • b5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4d
  • 5ac0a6c76160772acd8a0de0705362fcdc325138eeadfe3d8d40e4bf2212a146

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.