A critical zero-day vulnerability in SysAid on-premises IT service management software is being actively exploited in the wild, drawing urgent attention from cybersecurity teams worldwide. Tracked as CVE-2023-47246, the flaw was first detected by the Microsoft Threat Intelligence team in early November 2023 and has already been leveraged by the threat actor known as Lace Tempest — the same group behind the devastating MOVEit Transfer exploits earlier this year.
The Exploit Mechanics
The vulnerability is classified as a path traversal flaw (CWE-35) that allows attackers to navigate through the directory system and write arbitrary files to the Apache Tomcat webroot running on SysAid servers. Once a malicious file is written, the attacker achieves remote code execution. The attack chain begins with the threat actor uploading a webshell into the Tomcat web service, which provides unauthorized access and control over the compromised system.
From there, the attacker deploys the user.exe malware loader, which executes a PowerShell script designed to inject the GraceWire trojan into three critical Windows service executables: spoolsv.exe, msiexec.exe, and svchost.exe. Each of these executables is responsible for running essential Windows services, meaning a malware takeover can render the affected device inoperable. After deploying the trojan, the attacker runs additional scripts to erase evidence of the intrusion and establishes a Cobalt Strike listener for persistent monitoring of compromised hosts.
Affected Systems
All customers running SysAid on-premises server installations are at risk. SysAid is widely used by enterprises for IT service management, help desk operations, and asset management. The software runs on internal networks, making the vulnerability particularly dangerous because attackers can use a compromised SysAid instance as a springboard for lateral movement across the entire corporate environment.
The threat actor behind this campaign, Lace Tempest, has a well-documented track record of deploying Cl0p ransomware following initial access. The same group previously exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer product, compromising thousands of organizations globally and exfiltrating sensitive data. The GraceWire trojan deployed through the SysAid vulnerability has also been linked to ransomware attacks and subsequent data breaches, raising the stakes significantly for any organization running vulnerable versions.
The Mitigation Strategy
SysAid has released version 23.3.36, which contains a security patch that addresses the path traversal vulnerability. The company’s CTO, Sasha Shapirov, issued an urgent advisory urging all customers with on-premises server installations to upgrade immediately. Beyond patching, SysAid recommends conducting a comprehensive compromise assessment of the entire network to identify any indicators of compromise.
Security teams should look for the specific IOCs associated with this campaign, including the webshell files in the Tomcat webroot, the user.exe loader, and the GraceWire trojan payloads. Organizations should also check for Cobalt Strike beacon activity on their networks, as this is a hallmark of Lace Tempest operations. If any indicators are found, immediate incident response protocols should be activated.
Lessons Learned
The SysAid zero-day underscores several critical lessons for the cybersecurity community. First, threat actors are increasingly targeting IT management infrastructure as an entry point into enterprise networks. These tools often have broad access to corporate systems and are trusted by internal security teams, making them ideal targets for sophisticated attackers.
Second, the rapid weaponization of zero-day vulnerabilities — from discovery to active exploitation — continues to shrink the window organizations have to respond. Microsoft detected this campaign while it was already underway, meaning many organizations may have already been compromised before the advisory was issued.
Third, the connection between initial access and ransomware deployment remains a consistent pattern. Organizations that detect and respond to initial compromise quickly can prevent the far more damaging ransomware phase of these attacks.
User Action Required
If your organization runs SysAid on-premises software, take the following steps immediately: upgrade to version 23.3.36 or later, conduct a full compromise assessment, review logs for the IOCs described above, ensure backup systems are current and tested, and review network segmentation to limit lateral movement from IT management systems. The threat landscape rewards speed — the faster you patch and assess, the lower your risk of becoming the next Cl0p victim.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any investment decisions.
lace tempest again. same group behind moveit and now hitting sysaid through path traversal. they run an incredibly efficient operation
lace tempest went from MOVEit to sysaid in like 4 months. they iterate faster than most legitimate software companies
Lace Tempest treats zero-days like a product pipeline. find bug, weaponize, deploy, move to next target
Lace Tempest went MOVEit to SysAid in 4 months. their exploit pipeline is faster than most vendors patch cycles. that gap is the real vulnerability
the gracewire trojan injection into spoolsv.exe is nasty. blending into print spooler processes means most edr tools wont flag it
exactly. fileless injection into legitimate windows services is getting way too common. saw a similar pattern with qakbot earlier that year
injecting into spoolsv.exe is clever because half the orgs still have print spooler running on domain controllers. prime hiding spot
spoolsv.exe is such a common injection target. orgs really need to audit which services are actually running on their servers
spoolsv.exe injection works because half of enterprises still run print spooler on servers. disable it and half these malware chains fall apart overnight
cve-2023-47246 got a cvss 9.8 and orgs still took weeks to patch. if youre running sysaid on-prem treat it like any other internet-facing service
CVSS 9.8 on CVE-2023-47246 and orgs took weeks to patch. if you run SysAid on-prem connected to the internet you are asking for it