CVE-2023-47246 Overview
CVE-2023-47246 is a critical path traversal vulnerability affecting SysAid On-Premise IT service management software versions prior to 23.3.36. This vulnerability allows unauthenticated remote attackers to write arbitrary files to the Tomcat webroot directory, ultimately enabling remote code execution (RCE) on vulnerable systems. The vulnerability was actively exploited in the wild in November 2023, and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog.
Critical Impact
This vulnerability enables unauthenticated attackers to achieve remote code execution by leveraging a path traversal flaw to upload malicious files to the web server. Active exploitation in the wild makes immediate patching essential.
Affected Products
- SysAid On-Premise versions prior to 23.3.36
- SysAid On-Premise IT Service Management Software
Discovery Timeline
- 2023-11-10 - CVE-2023-47246 published to NVD
- 2025-10-31 - Last updated in NVD database
Technical Details for CVE-2023-47246
Vulnerability Analysis
CVE-2023-47246 represents a severe path traversal vulnerability (CWE-22) in SysAid On-Premise software that can be exploited remotely without authentication. The vulnerability exists in file upload functionality that fails to properly validate user-supplied file paths, allowing attackers to escape the intended upload directory and write files to arbitrary locations on the server.
The attack chain observed in the wild involves attackers exploiting the path traversal flaw to write a malicious JSP webshell directly to the Tomcat webroot. Once the webshell is deployed, attackers can execute arbitrary commands with the privileges of the SysAid application server process. This provides full remote code execution capability on vulnerable systems.
The vulnerability's network-accessible attack vector, lack of authentication requirements, and low complexity make it particularly dangerous. Successful exploitation can result in complete system compromise, including unauthorized access to sensitive IT service management data, lateral movement within the network, and potential deployment of additional malware or ransomware.
Root Cause
The root cause of CVE-2023-47246 is improper input validation in the file path handling mechanism. The application fails to adequately sanitize user-controlled input when constructing file paths for uploaded content. This allows attackers to use directory traversal sequences (such as ../) to navigate outside the intended directory structure and place files in sensitive locations like the Tomcat webroot. The absence of proper path canonicalization and validation against a whitelist of allowed directories enables this attack.
Attack Vector
The attack exploits a network-accessible endpoint in the SysAid On-Premise application. Attackers craft malicious HTTP requests containing path traversal sequences in file upload parameters. The vulnerable component processes these requests without proper validation, allowing files to be written to the Tomcat webroot directory. The attacker then accesses the uploaded webshell via HTTP to execute commands on the target server.
The exploitation process involves uploading a malicious JSP file through the vulnerable endpoint, using traversal sequences to place it in the web-accessible directory, and then triggering code execution by accessing the uploaded file through a web browser.
Detection Methods for CVE-2023-47246
Indicators of Compromise
- Unexpected JSP or WAR files appearing in Tomcat webroot directories (/webapps/ paths)
- Suspicious HTTP requests containing path traversal sequences (../) targeting SysAid upload endpoints
- Web server logs showing access to unusual JSP files not part of standard SysAid installation
- Outbound network connections originating from the SysAid server process to suspicious external hosts
- Evidence of command execution through Tomcat process spawning unexpected child processes
Detection Strategies
- Monitor file system activity for new file creation events in Tomcat webroot directories
- Implement web application firewall (WAF) rules to detect and block path traversal patterns in HTTP requests
- Analyze HTTP access logs for requests containing ../ sequences or unexpected file extensions targeting upload functionality
- Deploy endpoint detection and response (EDR) solutions to monitor for suspicious process execution chains involving java.exe or Tomcat processes
- Enable verbose logging on SysAid application servers to capture file operation events
Monitoring Recommendations
- Configure real-time alerts for file creation events in web application directories
- Establish baselines for normal SysAid network traffic patterns and alert on anomalies
- Monitor for post-exploitation activities such as credential harvesting, lateral movement, or data exfiltration
- Review CISA's Known Exploited Vulnerabilities Catalog entry for CVE-2023-47246 for updated IOCs
How to Mitigate CVE-2023-47246
Immediate Actions Required
- Upgrade SysAid On-Premise to version 23.3.36 or later immediately
- Audit Tomcat webroot directories for any unauthorized or suspicious files
- Review web server and application logs for evidence of exploitation attempts
- Isolate potentially compromised SysAid servers from the network pending forensic investigation
- Implement network segmentation to limit exposure of SysAid servers to untrusted networks
Patch Information
SysAid has released version 23.3.36 which addresses this vulnerability. Organizations running affected versions should upgrade immediately. Detailed patching instructions and security enhancements are available in the SysAid 2023 Security Enhancements documentation. Additionally, SysAid has published a Security Vulnerability Notification with guidance for affected customers. The latest installation files can be obtained from the SysAid Installation Documentation.
Workarounds
- Restrict network access to SysAid servers using firewall rules to allow only trusted IP ranges
- Implement a web application firewall (WAF) with rules to block path traversal attack patterns
- Disable or restrict access to vulnerable upload functionality if not operationally required
- Place SysAid servers behind a VPN to limit external exposure while awaiting patch deployment
# Example: Restrict access to SysAid server using iptables
# Allow only trusted management network
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8443 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
iptables -A INPUT -p tcp --dport 8443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
