// For flags

CVE-2015-6922

Kaseya Virtual System Administrator Remote File Upload Remote Code Execution Vulnerability

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

3
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.33, 8.x before 8.0.0.23, 9.0 before 9.0.0.19, and 9.1 before 9.1.0.9 does not properly require authentication, which allows remote attackers to bypass authentication and (1) add an administrative account via crafted request to LocalAuth/setAccount.aspx or (2) write to and execute arbitrary files via a full pathname in the PathData parameter to ConfigTab/uploader.aspx.

Kaseya Virtual System Administrator (VSA) versiones 7.x anteriores a 7.0.0.33, versiones 8.x anteriores a 8.0.0.23, versiones 9.0 anteriores a 9.0.0.19 y versiones 9.1 anteriores a 9.1.0.9, no requiere autenticación, lo que permite a atacantes remotos omitir la autenticación y ( 1) agregar una cuenta administrativa mediante una petición diseñada en el archivo LocalAuth/setAccount.aspx o (2) escribir y ejecutar archivos arbitrarios por medio de un nombre de ruta completo en el parámetro PathData en el archivo ConfigTab/uploader.aspx.

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Kaseya Virtual System Administrator. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the uploader.aspx page, which does not properly require that users be authenticated and does not restrict destination file paths. Attackers can leverage this vulnerability to upload and execute arbitrary code on the server under the context of IIS.

Kaseya Virtual System Administrator suffers from multiple code execution vulnerabilities and a privilege escalation vulnerability. VSA versions 7.0.0.0 through 7.0.0.32, 8.0.0.0 through 8.0.0.22, 9.0.0.0 through 9.0.0.18, and 9.1.0.0 through 9.1.0.8 are affected.

*Credits: Pedro Ribeiro (pedrib@gmail.com) / Agile Information Security
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2015-09-11 CVE Reserved
  • 2015-09-23 CVE Published
  • 2015-10-05 First Exploit
  • 2024-08-06 CVE Updated
  • 2024-10-02 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-287: Improper Authentication
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Kaseya
Search vendor "Kaseya"
 Virtual System Administrator
Search vendor "Kaseya" for product "Virtual System Administrator"
 >= 7.0.0.0 < 7.0.0.33
Search vendor "Kaseya" for product "Virtual System Administrator" and version " >= 7.0.0.0 < 7.0.0.33"
-
Affected
Kaseya
Search vendor "Kaseya"
 Virtual System Administrator
Search vendor "Kaseya" for product "Virtual System Administrator"
 >= 8.0.0.0 < 8.0.0.23
Search vendor "Kaseya" for product "Virtual System Administrator" and version " >= 8.0.0.0 < 8.0.0.23"
-
Affected
Kaseya
Search vendor "Kaseya"
 Virtual System Administrator
Search vendor "Kaseya" for product "Virtual System Administrator"
 >= 9.0.0.0 < 9.0.0.19
Search vendor "Kaseya" for product "Virtual System Administrator" and version " >= 9.0.0.0 < 9.0.0.19"
-
Affected
Kaseya
Search vendor "Kaseya"
 Virtual System Administrator
Search vendor "Kaseya" for product "Virtual System Administrator"
 >= 9.1.0.0 < 9.1.0.9
Search vendor "Kaseya" for product "Virtual System Administrator" and version " >= 9.1.0.0 < 9.1.0.9"
-
Affected