Lucene search

AttackerKBAKB:4F83C3B2-DCCA-4E55-BB6B-4235DA81750F

HistoryNov 10, 2023 - 12:00 a.m.

CVE-2023-47246

2023-11-1000:00:00

attackerkb.com

sysaid on-premise

path traversal

code execution

exploited

wild

november 2023

microsoft

limited attacks

ransomware

lace tempest

data exfiltration

cve-2023-47246

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.668 Medium

EPSS

Percentile

97.6%

JSON

In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.

Recent assessments:

cbeek-r7 at November 09, 2023 2:50pm UTC reported:

On November 8, 2023, SysAid, an IT service management company, revealed a zero-day path traversal vulnerability, CVE-2023-47426, impacting on-premise SysAid servers. Microsoft’s threat intelligence team, the discoverers of this vulnerability, reported its exploitation in the wild by DEV-0950 (Lace Tempest) through “limited attacks.”

Microsoft, in a social media thread on the evening of November 8, underscored that Lace Tempest is associated with the distribution of Cl0p ransomware and highlighted the likelihood of ransomware deployment and/or data exfiltration when exploiting CVE-2023-47246. It’s worth noting that Lace Tempest was also responsible for the MOVEit Transfer and GoAnywhere MFT extortion attacks earlier this year.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5