CVE-2023-47246

CVE-2023-47246 is a critical-severity vulnerability in Sysaid with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-11-13). The underlying weakness is classified as CWE-22.

Key facts

Description

In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.

CVE-2023-47246: SysAid On-Premise Path Traversal to RCE (Exploited In-the-Wild)

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2023-47246
Severity Critical (CVSS 9.8)
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
EPSS 0.98851 (99.92nd percentile)
KEV Yes (Added 2023-11-13)
Source NVD

Summary

A path traversal vulnerability in SysAid On-Premise before version 23.3.36 allows unauthenticated remote attackers to write files to the Tomcat webroot directory. Because the application server serves content from this directory, an attacker can place executable artifacts in the webroot and achieve remote code execution. This vulnerability has been actively exploited in the wild since November 2023 and is listed in CISA's Known Exploited Vulnerabilities catalog.

Background

SysAid is an IT service management (ITSM) platform offered in both cloud and on-premises deployment models. The on-premise version runs on a Tomcat application server, which serves web content from a designated webroot directory. In November 2023, security researchers and incident responders observed in-the-wild exploitation of a vulnerability in SysAid On-Premise that allowed attackers to gain unauthorized access to ITSM instances. The attack chain leveraged a path traversal weakness to write malicious files into the Tomcat webroot, which the server then executed.

Root Cause

The vulnerability is classified under CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). The affected application fails to adequately sanitize user-controlled input when constructing file paths for file-write operations. Specifically, an attacker can supply path traversal sequences (e.g., ../) in a request to escape the intended upload or write directory and place files in the Tomcat webroot. Because the webroot is a trusted location from which the application server serves executable content, placing a web shell or other executable artifact there grants the attacker remote code execution capabilities. The root cause is a missing or insufficient validation step on the server-side path canonicalization before file writes are committed.

Impact

The CVSS v3.1 score of 9.8 (Critical) reflects the severity of this vulnerability:

  • Attack Vector (AV): Network — The vulnerability is exploitable remotely over the network without any special network positioning.
  • Attack Complexity (AC): Low — No significant obstacles or advanced techniques are required to exploit the flaw.
  • Privileges Required (PR): None — The attacker does not need authenticated access or elevated privileges.
  • User Interaction (UI): None — No user action is required to trigger the exploit.
  • Scope (S): Unchanged — The vulnerable component is the only component affected; the exploit does not impact other resources.
  • Confidentiality (C): High — Successful exploitation can lead to unauthorized access to sensitive data stored within the ITSM instance.
  • Integrity (I): High — Attackers can modify data, configurations, or inject malicious content.
  • Availability (A): High — Attackers can disrupt service availability or use the compromised system as a foothold for further attacks.

In practice, this translates to full compromise of the SysAid On-Premise server, including potential lateral movement within the organization's network.

Exploitation Walkthrough (Defensive Perspective)

⚠️ Ethics Notice: The following description is provided from a defensive and incident-response perspective. No weaponized exploit code is included. Security practitioners should use this information to improve detection, response, and remediation — never to attack systems without explicit authorization.

From a defensive standpoint, the observed attack chain follows a predictable pattern:

  1. Reconnaissance: The attacker identifies an exposed SysAid On-Premise instance, typically via internet-facing asset scanning or service enumeration.
  2. Path Traversal Write: The attacker sends a specially crafted HTTP request containing path traversal sequences in a file-write or upload parameter. The goal is to escape the intended target directory and place a file into the Tomcat webroot.
  3. Web Shell Deployment: The written file is typically a lightweight web shell or script. Because the file now resides in the webroot, the Tomcat server will serve it upon request.
  4. Remote Code Execution: The attacker accesses the newly placed file via a standard HTTP request, causing the server to execute the embedded commands and establishing a remote command-and-control channel.
  5. Post-Exploitation: With code execution achieved, the attacker may perform data exfiltration, deploy additional payloads, or move laterally within the environment.

Defenders should focus on:

  • Detecting anomalous HTTP requests containing traversal sequences (../, ..\, encoded variants) directed at file-write endpoints.
  • Monitoring the Tomcat webroot for unexpected file creation or modification events.
  • Alerting on subsequent HTTP requests to newly created or unusual files within the webroot.

Affected and Patched Versions

Status Version
Affected SysAid On-Premise versions before 23.3.36
Patched SysAid On-Premise version 23.3.36 and later

Exact affected version ranges are not specified beyond "before 23.3.36." Organizations should assume all prior on-premise releases are vulnerable and upgrade immediately.

Remediation

  1. Upgrade immediately: Apply SysAid On-Premise version 23.3.36 or later. This is the primary and most reliable remediation.
  2. Restrict network exposure: If an immediate upgrade is not feasible, limit network access to the SysAid instance to authorized internal IP ranges and VPN users only. Do not expose the management interface to the public internet.
  3. Web Application Firewall (WAF): Deploy a WAF or reverse proxy with rules that block path traversal sequences in HTTP request parameters, especially those targeting file upload or write endpoints.
  4. File integrity monitoring (FIM): Implement FIM on the Tomcat webroot directory. Alert on any unauthorized file creation or modification.
  5. Compensating controls: Harden the Tomcat server configuration to restrict write permissions to the webroot and disable unnecessary default servlets or directory listings that could aid an attacker.

Detection

  • HTTP Access Logs: Look for POST or PUT requests containing path traversal patterns (../, %2e%2e%2f, %252e%252e%252f) in query parameters or body fields, particularly on endpoints associated with file uploads or attachments.
  • File System Monitoring: Monitor the Tomcat webroot for unexpected file creation events. An alert should trigger when new files appear in the webroot without a corresponding authorized deployment action.
  • Endpoint Detection and Response (EDR): Configure EDR policies to detect web server processes (e.g., Tomcat JVM) spawning unusual child processes, especially command shells or script interpreters.
  • Network Traffic Analysis: Look for anomalous outbound connections from the SysAid server to external command-and-control infrastructure after a successful compromise.

Assessment

With an EPSS score of 0.98851 and a 99.92nd percentile ranking, this vulnerability is among the most likely to be exploited in the wild. The CISA Known Exploited Vulnerabilities (KEV) catalog added this entry on 13 November 2023, confirming observed exploitation by threat actors. The in-the-wild exploitation history and the low attack complexity make this a high-priority patching item for any organization running SysAid On-Premise.

Key lessons:

  1. Patch ITSM infrastructure urgently: ITSM platforms often hold privileged credentials and service account details. A compromise here can cascade into broader network access.
  2. Webroot integrity monitoring is essential: Even if an application has a file-write vulnerability, detecting unauthorized writes to the webroot can provide a critical early warning and reduce dwell time.

References

Frequently asked questions

What is CVE-2023-47246?
In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.
How severe is CVE-2023-47246?
CVE-2023-47246 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2023-47246 being actively exploited?
Yes. CVE-2023-47246 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-11-13, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2023-47246?
CVE-2023-47246 affects Sysaid. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2023-47246?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2023-47246 have an EU (EUVD) identifier?
Yes. CVE-2023-47246 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-51378. It is also flagged as exploited in the EUVD (since 2023-11-13).
When was CVE-2023-47246 published?
CVE-2023-47246 was published on 2023-11-10 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Sysaid

All CVEs affecting Sysaid →

Other CWE-22 (Path Traversal) vulnerabilities

Browse all CWE-22 (Path Traversal) vulnerabilities →