CVE-2023-47246

Name of the Vulnerable Software and Affected Versions SysAid On-Premise versions prior to 23.3.36

Description A path traversal vulnerability in SysAid On-Premise software leads to code execution after an attacker writes a file to the Tomcat webroot. This issue has been exploited in the wild, with the Cl0p ransomware group using it to gain unauthorized access to systems. The vulnerability exists in the doPost method of the com.ilient.server.UserEntry class, allowing an attacker to upload a malicious WAR archive to the webroot, resulting in code execution. The estimated number of potentially affected devices worldwide is not specified, but the vulnerability has been used in real-world incidents, including ransomware attacks.

Recommendations To resolve the issue, update SysAid On-Premise software to version 23.3.36 or later. As a temporary workaround, consider restricting access to the vulnerable doPost method in the com.ilient.server.UserEntry class until a patch is applied. Additionally, monitor systems for suspicious activity, as the vulnerability may have been exploited to deploy malware or gain unauthorized access.