SysAid zero-day exploited by Clop ransomware group

Pierluigi Paganini November 10, 2023

Microsoft spotted the exploitation of a SysAid zero-day vulnerability in limited attacks carried out by the Lace Tempest group.

Microsoft reported the exploitation of a zero-day vulnerability, tracked as CVE-2023-47246, in the SysAid IT support software in limited attacks.

The IT giant linked the attacks to the Clop ransomware gang (aka Lace Tempest). The company reported the flaw to the software vendor which quickly fixed it.

The Lace Tempest operators exploited the vulnerability to issue commands via the SysAid software to deliver a loader for the Gracewire malware (aka FlawedGrace). The malware enabled human-operated activity, including lateral movement, data theft, and ransomware deployment.

After exploiting the vulnerability, Lace Tempest issued commands via the SysAid software to deliver a malware loader for the Gracewire malware. This is typically followed by human-operated activity, including lateral movement, data theft, and ransomware deployment.
— Microsoft Threat Intelligence (@MsftSecIntel) November 9, 2023

SysAid reported that on November 2nd, its security team became aware of a potential vulnerability in its on-premise software. The software firm engaged the cybersecurity firm Profero to investigate the issue. Profero determined that the software was affected by a zero-day vulnerability.

“The investigation identified a previously unknown path traversal vulnerability leading to code execution within the SysAid on-prem software.” reads the report published by Profero. “The vulnerability was exploited by a group known as DEV-0950 (Lace Tempest), as identified by the Microsoft Threat Intelligence team. The attacker uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service.” “The WebShell provided the attacker with unauthorized access and control over the affected system. Subsequently, the attacker utilized a PowerShell script, deployed through the WebShell, to execute a malware loader named user.exe on the compromised host, which was used to load the GraceWire trojan.”

Rapid7 researchers reported that Shodan searches for either a specific CSS file or the favicon both return only 416 instances of SysAid exposed to the public internet. (Note that “exposed” does not necessarily imply that those instances are vulnerable.).

SysAid addressed the flaw with the release of version 23.3.36 on November 8.

Below are the recommendations provided by the software vendor to its customers:

Ensure that your SysAid systems are updated to version 23.3.36, which includes the patches for the identified vulnerability.
Conduct a thorough compromise assessment of your SysAid server to look for any indicators mentioned.
Review any credentials or other information that would have been available to someone with full access to your SysAid server and check any relevant activity logs for suspicious behavior.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

Pierluigi Paganini July 25, 2025

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

Pierluigi Paganini July 25, 2025