SysAid customers got the patch the same week they learned they were already breached

The uncomfortable thing about CVE-2023-47246 is the order of events. SysAid customers didn’t get a heads-up, patch, and stay safe. The vulnerability was discovered because Microsoft Threat Intelligence caught it being exploited, and SysAid announced on November 8, 2023 that its on-premise product was under active attack as a zero-day. The patch and the breach notification arrived in the same news cycle. For anyone already targeted, the fix was a cleanup tool, not a preventive one.

That sequence is becoming the norm for a specific class of attacker, and it should change how you think about defending enterprise software.

What the bug is

CVE-2023-47246 is a path traversal (CWE-22) in SysAid On-Premise before version 23.3.36, CVSS 9.8, unauthenticated. By manipulating the accountID parameter, an attacker controls where a file gets written, and writes a malicious archive into the Apache Tomcat web application root. Anything in the Tomcat webroot is executable, so dropping a WAR or JSP webshell there is immediate remote code execution. No credentials, no user interaction. SysAid’s advisory directs all customers to upgrade to 23.3.36 or later, and CISA added it to the Known Exploited Vulnerabilities catalog on November 13, 2023, with a December 4 deadline and the ransomware flag.

SysAid is IT service management software, a help desk and asset-management hub. That makes it a high-value foothold: it tends to integrate with directory services, hold credentials, and have reach across the IT estate by design. A webshell on the SysAid server is a strong position to escalate and pivot from, which is exactly what the attacker did.

The actor is the story

The group Microsoft tracks as Lace Tempest deployed the webshell and used the access to push Cl0p ransomware. That name matters, because Lace Tempest is the same operation behind the mass exploitation of MOVEit Transfer (CVE-2023-34362) earlier in 2023, and the GoAnywhere and Accellion campaigns before that. This is a crew whose business model is finding, or acquiring, pre-authentication bugs in widely-deployed enterprise software and burning them in large, fast extortion campaigns.

The implication is that you are not always up against opportunistic scanning that starts after a CVE drops. For an actor like this, the zero-day is the opening move. By the time the vulnerability is public and a patch exists, the initial wave of compromise has already happened. “There’s no patch yet, so there’s nothing to do” is exactly backwards in this threat model. When the attacker has the bug before the vendor does, your patch cadence isn’t the variable that saves you, because there was nothing to apply during the window that mattered.

What saves you in that window is detection: noticing the webshell, the anomalous process, the unexpected file in the webroot, before the ransomware stage. That’s the capability worth investing in for software that sophisticated extortion crews target.

What to do

• Patch to SysAid 23.3.36 or later, now. If you somehow still aren’t current, you’re exposed to a publicly-known, ransomware-associated, unauthenticated RCE. This is overdue.
• Assume you may have been hit during the zero-day window and hunt accordingly. Exploitation predated the patch, so a clean patch status today does not mean you were never compromised. Investigate the SysAid host for: unexpected .war or .jsp files in the Tomcat webroot, the Tomcat/SysAid process spawning shells or unusual children, and accountID parameter values containing path-traversal sequences in the web logs.
• Look for the documented follow-on tooling. The Lace Tempest activity involved webshell access leading to credential theft, lateral movement, and ultimately Cl0p deployment. Check for new accounts, unexpected scheduled tasks, and outbound connections from the SysAid server.
• Treat the SysAid server as privileged infrastructure. Take its web interface off the public internet, run it with least privilege, segment it, and monitor it like the high-trust hub it is. ITSM platforms get installed and forgotten precisely because they “just work,” and that neglect is what makes them attractive.
• Build webroot-write detection generally. A file-monitoring rule that alerts on new executable content (WAR, JSP, ASPX, PHP) appearing in any application’s web root is one of the higher-value, lower-cost detections you can deploy, because so many of these enterprise-software RCEs end with exactly that action.

The reframe

Patching is necessary and you should do it relentlessly, but CVE-2023-47246 is a reminder of what patching can and can’t do. Against an actor who develops or buys zero-days and leads with them, the patch arrives after the damage for the first wave of victims. The defense that works in that window is the ability to see the intrusion in progress: the webshell that shouldn’t be there, the service account doing something it never does. Vendors will keep shipping bugs, and crews like Lace Tempest will keep finding them first, so build the detection that catches the after-exploitation behavior, because for the highest-value targets, that’s the line of defense that’s actually standing when the bug is still a secret. We flag these enterprise-software zero-days the moment they surface, but the day it lands on the catalog is often the day to start hunting, not the day to start worrying.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• NVD CVE-2023-47246 — 2023-11-10
• SysAid: On-Premise software security vulnerability notification — 2023-11-08
• Rapid7: SysAid zero-day exploited by Lace Tempest (CVE-2023-47246) — 2023-11-09
• SOC Prime: Lace Tempest exploits SysAid zero-day CVE-2023-47246 — 2023-11
• Kroll: SysAid vulnerability CVE-2023-47246 — 2023-11