Connect with us

Hi, what are you looking for?



SysAid Zero-Day Vulnerability Exploited by Ransomware Group

CVE-2023-47246 zero-day vulnerability in SysAid IT service management software has been exploited by Cl0p ransomware affiliates.

SysAid zero-day CVE-2023-47246 exploited

Organizations using SysAid IT service management software have been warned about a zero-day vulnerability that has been exploited by affiliates of a notorious ransomware operation. 

Exploitation of the zero-day, tracked as CVE-2023-47246, was apparently first observed by Microsoft’s threat intelligence team, which rushed to notify SysAid about the vulnerability and the attacks.

The vendor has determined that its SysAid on-premises software is impacted by the flaw, which has been described as a path traversal issue leading to arbitrary code execution. 

SysAid learned about the zero-day on November 2, and it announced the release of version 23.3.36, which should patch the vulnerability, on November 8. 

In addition to patches, the vendor has shared technical information on the observed attacks, including indicators of compromise (IoCs), as well as recommendations on the steps that potentially impacted customers should take. 

Incident response company Profero, which assisted SysAid in its investigation, has also published a blog post describing its findings.

According to Microsoft, CVE-2023-47246 has been exploited by a threat actor it tracks as Lace Tempest, which is also known as DEV-0950 and whose activities overlap with the groups named FIN11 and TA505. They are all known for deploying Cl0p ransomware.

Microsoft previously linked Lace Tempest to the massive MOVEit Transfer zero-day exploitation, which to date has impacted — both directly and indirectly — more than 2,500 organizations. In those attacks, the cybercriminals exploited a MOVEit managed file transfer software flaw to gain access to the information exchanged by organizations through the product. They then used the stolen files to extort money from victims.

Advertisement. Scroll to continue reading.

In the SysAid zero-day attacks, the hackers leveraged the IT support software to deliver the MeshAgent remote administration tool and the GraceWire malware. 

“This is typically followed by human-operated activity, including lateral movement, data theft, and ransomware deployment,” Microsoft said.

According to SysAid, the cybercriminals also deployed a PowerShell script to cover their tracks by erasing evidence from targeted servers. 

*updated to add link to Profero blog post

Related: Sony Confirms Data Stolen in Two Recent Hacker Attacks

Related: Cybersecurity Companies Report Surge in Ransomware Attacks

Related: Live Exploitation Underscores Urgency to Patch Critical WS-FTP Server Flaw

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.