ClickCease Lace Tempest Exploits SysAid Zero-Day Flaw

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Lace Tempest Exploits SysAid Zero-Day Flaw

Wajahat Raja

November 23, 2023 - TuxCare expert team

In a recent revelation, SysAid, a leading IT management software provider, has unveiled a critical security threat affecting its on-premises software. The threat actor, identified as DEV-0950 or Lace Tempest by Microsoft, previously linked to the notorious Clop ransomware group, is now exploiting a zero-day vulnerability labeled CVE-2023-47246. This vulnerability, if left unaddressed, can pave the way for unauthorized access and control over systems, posing a substantial risk to organizations. In this blog post, we’ll uncover the SysAid Zero-Day flaw and will shed light on possible mitigation measures.

The Emergence of Lace Tempest Cyber Threat

SysAid, in a blog post, disclosed the active exploitation of a path traversal zero-day vulnerability by Lace Tempest. This revelation follows Microsoft’s early detection of the exploitation, prompting immediate action from SysAid. The gravity of the
Lace Tempest cybersecurity

had earlier orchestrated widespread attacks on MoveIT Transfer product users, affecting numerous organizations, including U.S. government agencies.

Cybersecurity News Lace Tempest

On November 2, Microsoft detected the exploitation of the
SysAid vulnerability and promptly reported it to SysAid. The threat actor, Lace Tempest, was swiftly identified as the orchestrator behind the malicious activity. The association with Clop ransomware raised concerns, considering Lace Tempest’s involvement in previous attacks that involved data theft and ransom threats.

SysAid Zero-Day Flaw Mechanism

SysAid shed light on the intricacies of the
zero-day exploit in SysAid orchestrated by Lace Tempest. The threat actor employed PowerShell to obfuscate their actions, making it challenging for incident response teams to investigate effectively. The modus operandi involved uploading a WebShell-containing WAR archive into the webroot of the SysAid Tomcat web service. This, in turn, granted unauthorized access and control over the compromised system.

SysAid’s Urgent Advisory

SysAid security update revealed the urgency to take immediate action by upgrading to the fixed version 23.3.36. The company emphasized the need for users to proactively search for indicators of compromise and, if necessary, undertake further remediation. Given the severity of the threat, SysAid stressed the importance of adhering to incident response playbooks and promptly installing available patches. Users were specifically warned to be vigilant for unauthorized access attempts and suspicious file uploads within the webroot directory of the Tomcat web service.

Mitigating the Risk

SysAid underscored the criticality of proactive measures to secure installations and mitigate risks. Users were advised to review credential information, scrutinize logs for any unusual activity, and monitor for the presence of WebShell files. The urgency conveyed by SysAid reflects the potential consequences of not promptly addressing the
zero-day vulnerability.

SysAid Patch For Zero-Day Flaw

In a separate statement on X (formerly Twitter), Microsoft Threat Intelligence corroborated the discovery of exploitation activity related to the
SysAid software vulnerability. After notifying SysAid, Microsoft acknowledged the swift patching of the vulnerability. The tech giant, in addition to urging users to patch their systems, cautioned organizations to conduct thorough searches for signs of exploitation before applying patches. Microsoft highlighted that Lace Tempest might leverage their access to exfiltrate data and deploy Clop ransomware, drawing parallels with their tactics in the MoveIT Transfer attacks.

SysAid’s Response and Collaboration

SysAid, upon learning of the security risk in its on-premises software, acted promptly. The company engaged expert support to investigate and address the issue swiftly. Communication with on-premises customers commenced immediately, ensuring the implementation of a workaround solution. A comprehensive product upgrade, featuring enhanced security measures, has been rolled out to address the identified security risk. SysAid expressed gratitude for the collaborative support from Microsoft’s Defender team throughout their response to the issue.



Lace Tempest cyber attack underscores the persistent and evolving nature of cyber threats. In the face of such challenges, proactive measures, timely patching, and close collaboration with cybersecurity experts are paramount. Organizations must remain vigilant, adopting a comprehensive approach to cybersecurity to safeguard their systems and sensitive data from any zero-day vulnerability in IT systems. As technology advances, so do the threats, making it imperative for businesses to stay one step ahead in the ongoing battle for digital security.


The sources for this piece include articles in The Hacker News and Bleeping Computer

Lace Tempest Exploits SysAid Zero-Day Flaw
Article Name
Lace Tempest Exploits SysAid Zero-Day Flaw
Explore critical insights on addressing the SysAid Zero-Day Flaw exploited by Lace Tempest. Upgrade now and protect your organization.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter