Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2023-47246
CVE-2023-47246:
SysAid Server vulnerability analysis and mitigation
Overview
CVE-2023-47246 is a path traversal vulnerability discovered in SysAid On-Premise software versions before 23.3.36. The vulnerability was first identified on November 2, 2023, and was actively exploited in the wild during November 2023. The vulnerability affects SysAid's on-premise server software, allowing attackers to write files to the Tomcat webroot, leading to code execution (Huntress Blog, Rapid7 Blog).
Technical details
The vulnerability exists in the doPost method within the SysAid com.ilient.server.UserEntry class. Attackers can inject a path traversal into the accountID parameter and supply a zlib compressed WAR file webshell as the POST request body, allowing them to control where the webshell is written on the vulnerable server. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).
Impact
The vulnerability allows attackers to upload and execute malicious WAR files in the webroot of the SysAid Apache Tomcat web server, potentially leading to unauthorized system access, code execution, and complete system compromise. The attack surface includes over 230 instances accessible on the public internet, with nearly 900 SysAid servers potentially exposed (Huntress Blog).
Mitigation and workarounds
SysAid has released version 23.3.36 which patches the vulnerability. Organizations are strongly advised to update their SysAid systems to this version immediately. Additional recommendations include conducting thorough compromise assessments, reviewing credentials and activity logs for suspicious behavior, and ensuring SysAid servers are not exposed to the public internet (SysAid Advisory).
Community reactions
Microsoft's threat intelligence team emphasized that Lace Tempest distributes the Cl0p ransomware, and exploitation of CVE-2023-47246 is likely to result in ransomware deployment and/or data exfiltration. Security researchers from multiple organizations, including Huntress and Rapid7, have investigated and published detailed analyses of the vulnerability and its exploitation (Rapid7 Blog).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management