CVE-2023-47246

CRITICAL KEV RANSOMWARE NUCLEI

SysAid < 23.3.36 - Path Traversal and Remote Code Execution via Tomcat Webroot File Write

Title source: llm

Exploitation Summary

CVE-2023-47246 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 13, 2023, with confirmed use in ransomware campaigns. EIP tracks 4 public exploits from researchers including W01fh4cker, tucommenceapousser, mdelaclaire. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a functional exploit for CVE-2023-47246, which targets a vulnerability in Apache Tomcat. The exploit involves compressing a malicious WAR file, generating a hex-encoded payload, and sending it to the target server to achieve remote code execution (RCE).

Description

In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.

Exploits (4)

nomisec WORKING POC 53 stars

by W01fh4cker · remote

https://github.com/W01fh4cker/CVE-2023-47246-EXP

View Code ZIP pw:eip

The repository contains a functional exploit for CVE-2023-47246, which targets a vulnerability in Apache Tomcat. The exploit involves compressing a malicious WAR file, generating a hex-encoded payload, and sending it to the target server to achieve remote code execution (RCE).

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Tomcat (version not specified in the provided code)

No auth needed

Prerequisites: Target server running vulnerable Apache Tomcat · Network access to the target server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec SUSPICIOUS 1 stars

by tucommenceapousser · remote

https://github.com/tucommenceapousser/CVE-2023-47246

View Code ZIP pw:eip

The repository lacks actual exploit code and instead provides instructions to clone and run an external script. It includes vague marketing language and references external downloads, which are indicators of a potential social engineering lure.

Classification

Suspicious 90%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: SysAid Help Desk Software <23.3.36

No auth needed

Prerequisites: none

devstral-2 · analyzed Feb 18, 2026 Full analysis →

gitlab WORKING POC

by mdelaclaire · poc

https://gitlab.com/mdelaclaire/CVE-2023-47246-EXP

View Code ZIP pw:eip

The repository contains a functional exploit for CVE-2023-47246, which appears to target a vulnerability in a web application. The exploit involves compressing a malicious file into a WAR archive, generating a hex-encoded payload, and sending it to the target with randomized directory names and user agents to evade detection.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Unknown (likely a Java-based web application)

No auth needed

Prerequisites: malicious shell file · target URL

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 23, 2026 Full analysis →

gitlab SUSPICIOUS

by mdelaclaire · poc

https://gitlab.com/mdelaclaire/CVE-2023-47246

View Code ZIP pw:eip

The repository lacks actual exploit code and instead provides generic instructions for cloning and running a script, with no technical details about the vulnerability. It includes external links and vague commands without demonstrating any understanding of CVE-2023-47246.

Classification

Suspicious 90%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: SysAid Help Desk Software <23.3.36

No auth needed

Prerequisites: none provided

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 23, 2026 Full analysis →

Nuclei Templates (1)

SysAid Server - Remote Code Execution

CRITICALVERIFIEDby iamnoooob,rootxharsh,pdresearch

Shodan: http.favicon.hash:1540720428 || http.favicon.hash:"1540720428"

FOFA: icon_hash="1540720428"

References (4)

Core 4

Core References

Product

https://documentation.sysaid.com/docs/latest-version-installation-files

Release Notes, Vendor Advisory

https://documentation.sysaid.com/docs/on-premise-security-enhancements-2023

Exploit, Vendor Advisory

https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-47246

Scores

CVSS v3 9.8

EPSS 0.9438

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2023-11-13

VulnCheck KEV 2023-11-08

InTheWild.io 2023-11-09

ENISA EUVD EUVD-2023-51378

Ransomware Use Confirmed

CWE

CWE-22

Status published

Products (1)

sysaid/sysaid < 23.3.36

Published Nov 10, 2023

KEV Added Nov 13, 2023

Tracked Since Feb 18, 2026