Analytics Story: SysAid On-Prem Software CVE-2023-47246 Vulnerability

Updated Date: 2026-05-13 ID: 228f22cb-3436-4c31-8af4-370d40af7b49 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

A zero-day vulnerability was discovered in SysAid's on-premise software, exploited by the group DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads, gaining unauthorized access and control. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and urges customers to conduct a comprehensive compromise assessment.

Why it matters

The analytics tagged to this analytic story will aid in capturing initial access and some post-exploitation activities. In addition to the application spawning a shell, consider reviewing STRT's Cobalt Strike and PowerShell script block logging analytic stories. On November 2nd, SysAid's security team identified a potential vulnerability in their on-premise software. The investigation revealed a zero-day vulnerability exploited by the group known as DEV-0950 (Lace Tempest). The attackers uploaded a WebShell and other payloads into the webroot of the SysAid Tomcat web service, thereby gaining unauthorized access and control over the affected system. SysAid promptly initiated their incident response protocol and began proactive communication with their on-premise customers to implement a mitigation solution. SysAid has released a patch (version 23.3.36) to remediate the vulnerability and strongly recommends all customers to conduct a comprehensive compromise assessment of their network.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Windows Suspicious Child Process Spawned From WebServer	Web Shell	Anomaly
Java Writing JSP File	External Remote Services, Exploit Public-Facing Application	TTP
Web or Application Server Spawning a Shell	External Remote Services, Exploit Public-Facing Application	TTP
Windows File Download Via PowerShell	PowerShell, Ingress Tool Transfer	Anomaly

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon for Linux EventID 1	Linux	`sysmon:linux`	`Syslog:Linux-Sysmon/Operational`
Sysmon for Linux EventID 11	Linux	`sysmon:linux`	`Syslog:Linux-Sysmon/Operational`
Cisco Network Visibility Module Flow Data	Network	`cisco:nvm:flowdata`	`not_applicable`

References

https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification

Source: GitHub | Version: 2