SysAid on-premises software has a path traversal vulnerability [CVE-2023-47246] that can lead to remote code execution (RCE). It allows attackers to bypass credentials. As an IT ticket management system, it can contain crucial information about internal architecture and practices.
Active exploitation from a threat group known as “DEV-0950 (Lace Tempest)” has been reported and identified by the Microsoft Threat Intelligence team. They uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service. Further exploitation is likely to happen.
SysAid engaged Profero, a cyber security incident response company, to assist in their investigation and initiated their incident response protocol. See the SysAid Blog, “SysAid On-Prem Software CVE-2023-47246 Vulnerability” for more details.
Status
- This only affects on-premises software with no indication of compromise to cloud services.
- Patches are available.
- The Bitsight Research Team is continuing analysis and expects to have in product capability shortly.
Recommendations
- Use Bitsight for 4th party risk to search for SysAid as a product and a service provider.
- Conduct analysis to look for evidence of compromise and then patch immediately. Upgrade instructions are provided in the Sysaid documentation.