SysAid On-Premise Path Traversal to Code Execution
CVE-2023-47246 is a path traversal vulnerability in SysAid On-Premise before version 23.3.36. The flaw allows an attacker to write files outside the intended directory boundaries and place attacker-controlled content into the Tomcat webroot used by the SysAid application. According to the provided content, this file-write condition can be leveraged to upload a web shell and additional payloads into the SysAid Tomcat web service webroot, resulting in code execution. The vulnerability was exploited in the wild in November 2023.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository contains a Python exploit script (CVE-2023-47246-EXP.py) targeting the SysAid Server remote code execution vulnerability (CVE-2023-47246). The exploit works by uploading a user-supplied web shell (e.g., shell.jsp) to a vulnerable SysAid Server (version <23.3.36) via a crafted HTTP request. The script compresses and hex-encodes the shell file, then uploads it to the target server, and finally verifies if the shell is accessible. The README provides usage instructions, affected versions, fingerprinting tips for identifying SysAid servers, and references to further information. The repository also includes a requirements.txt for dependencies and a minimal text file. The exploit is operational, requiring the attacker to supply a shell file and a target URL, and results in remote code execution if successful.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A vulnerability affecting SysAid On-Prem Software referenced as an associated analytic story.
Referenced only as an associated analytic story for SysAid On-Prem Software; no vulnerability details are provided in the content.
Command injection vulnerability in pfSense pfBlockerNG referenced as a target in scanning activity.
A vulnerability identified as CVE-2023-47246 in SysAid On-Prem Software is referenced as an associated analytic story, but no technical details are provided in the content.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.