SysAid On-Prem Path Traversal Leading to Code Execution
CVE-2023-47246 is a path traversal vulnerability in SysAid On-Prem before version 23.3.36. According to the provided content, exploitation allows an attacker to write a file into the Tomcat webroot of the SysAid application. By placing a webshell or other attacker-controlled payload in the webroot, the attacker can then achieve code execution on the affected server. The issue was exploited in the wild as a zero-day in November 2023, with reporting that attackers uploaded webshells and additional payloads to gain unauthorized access and control of affected systems.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository contains a Python exploit script (CVE-2023-47246-EXP.py) targeting the SysAid Server remote code execution vulnerability (CVE-2023-47246). The exploit works by uploading a user-supplied web shell (e.g., shell.jsp) to a vulnerable SysAid Server (version <23.3.36) via a crafted HTTP request. The script compresses and hex-encodes the shell file, then uploads it to the target server, and finally verifies if the shell is accessible. The README provides usage instructions, affected versions, fingerprinting tips for identifying SysAid servers, and references to further information. The repository also includes a requirements.txt for dependencies and a minimal text file. The exploit is operational, requiring the attacker to supply a shell file and a target URL, and results in remote code execution if successful.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A vulnerability affecting SysAid On-Prem Software referenced as an associated analytic story.
Referenced only as an associated analytic story for SysAid On-Prem Software; no vulnerability details are provided in the content.
Command injection vulnerability in pfSense pfBlockerNG referenced as a target in scanning activity.
A vulnerability identified as CVE-2023-47246 in SysAid On-Prem Software is referenced as an associated analytic story, but no technical details are provided in the content.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.