top of page

SysAid On-Prem Software CVE-2023-47246 Vulnerability

Sasha Shapirov

8 Nov 2023

The investigation identified a previously unknown path traversal vulnerability leading to code execution within the SysAid on-prem software.

On Nov 2nd, a potential vulnerability in SysAid on-premise software came to the security team’s attention. They immediately initiated incident response protocol and began proactively communicating with the on-premise customers to ensure they could implement a mitigation solution they had identified.  SysAid engaged Profero, a cyber security incident response company, to assist us in the investigation.  The investigation determined that there was a zero-day vulnerability in the SysAid on-premises software.

The investigation identified a previously unknown path traversal vulnerability leading to code execution within the SysAid on-prem software.The vulnerability was exploited by a group known as DEV-0950 (Lace Tempest), as identified by the Microsoft Threat Intelligence team. The attacker uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service.

The full directory path was C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\. The WebShell provided the attacker with unauthorized access and control over the affected system. Subsequently, the attacker utilized a PowerShell script, deployed through the WebShell, to execute a malware loader named user.exe on the compromised host, which was used to load the GraceWire trojan, injecting it into one of the following processes:

  • spoolsv.exe

  • msiexec.exe

  • svchost.exe

After this initial access and the deployment of the malware, the attacker utilized a second PowerShell script to erase evidence associated with the attacker’s actions from the disk and the SysAid on-prem server web logs.

The investigation revealed that the attackers had been observed deploying the GraceWire loader.

Given the severity of the threat posed, we strongly recommend taking immediate steps according to your incident response playbook and install any patches as they become available. Taking proactive steps to secure your SysAid installations is vital in mitigating the risk.

PowerShell Used to Launch Malware Loader

The attacker uses the PowerShell script to launch the user.exe loader.

PowerShell Used to Erase Evidence from Victim Servers

The PowerShell script was used to erase evidence of the exploitation after the malicious payloads had been deployed.

PowerShell Used to Download and Execute CobaltStrike Agent

The PowerShell command was used to download and execute a CobaltStrike listener on victim hosts:


bottom of page