External risk intelligence

Kaseya VSA Unprivileged Remote Code Execution Advisory.

CVE advisoryKnown Exploit

CVE-2018-20753

Unprivileged remote attackers can execute PowerShell payloads on managed devices using affected Kaseya VSA software. This poses a business risk of unauthorized code execution on all managed systems. Active exploitation has been observed.

5Halo Surface Signal

Kaseya Virtual System Administrator

9.3 to before 9.3.0.359.4 to before 9.4.0.369.5 to before 9.5.0.5

External exposure likelihood

Halo Surface Signal score for CVE-2018-20753

Kaseya VSA is a Remote Monitoring and Management (RMM) platform designed to be a central, internet-facing gateway for managing distributed endpoints. These systems are typically deployed as public-facing web portals to facilitate remote administration and agent communication across disparate network environments.

Horizon Alert

Summary of the vulnerability and why it matters

Kaseya VSA is a remote monitoring and management platform that allows for the execution of PowerShell commands on managed devices. This vulnerability permits unprivileged remote attackers to run arbitrary PowerShell code on all devices managed by the VSA software. The potential business impact includes the compromise of data, disruption of operations, and unauthorized access to sensitive systems.

Vulnerable Kaseya VSA software
Allows unprivileged remote code execution
Potential for widespread system compromise

Attack Path

How an attacker could exploit the issue

Attackers can leverage this vulnerability to execute arbitrary code on managed devices. The attack begins with an unprivileged remote attacker gaining access to the Kaseya VSA RMM system. This is achieved by exploiting the system's network exposure. Once access is established, the attacker can trigger the execution of PowerShell payloads.

Exposed system
Unprivileged remote attacker
Execute PowerShell payloads

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a significant risk due to its exploitability and the potential for widespread impact. Attackers with a high skill level could leverage this flaw to execute malicious code, affecting all devices managed by the affected software. The active exploitation in the wild and its inclusion on a known exploited vulnerabilities list indicate a serious and immediate threat.

Likely attacker skill level: High.
Required access or conditions: None.
Business risk or urgency: Critical.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows unprivileged remote attackers to execute PowerShell commands on managed devices. The exploitability of this vulnerability is high, as it can be exploited over the network without requiring user interaction or elevated privileges. Organizations using affected versions of this software face a significant risk of unauthorized code execution on all managed devices.

Identify all deployed instances of the affected software.
Restrict network access to the software.
Apply vendor patches and verify system integrity.
Monitor for suspicious PowerShell activity.

Frequently asked questions

What is Kaseya Virtual System Administrator (VSA) and its function?

Kaseya VSA is a remote monitoring and management (RMM) platform. It enables IT professionals to manage and maintain computer systems and networks remotely. This includes tasks like software deployment, patching, and executing commands across multiple devices from a central console.

What type of weakness does CVE-2018-20753 represent in Kaseya VSA?

CVE-2018-20753 represents a critical remote code execution vulnerability. This allows unprivileged remote attackers to execute arbitrary PowerShell payloads on all managed devices, bypassing the need for special permissions.

How can an attacker exploit this vulnerability and what is the scope?

An attacker can exploit this vulnerability by gaining unprivileged remote access to the Kaseya VSA system, which is often network-exposed. Once access is established, they can trigger the execution of PowerShell payloads, impacting all devices managed by the affected software.

What is the relevance of CVE-2018-20753 given its network-facing nature?

Kaseya VSA's design as a central, internet-facing gateway for managing endpoints makes this vulnerability particularly relevant. Its inclusion on a known exploited vulnerabilities list highlights a serious and immediate threat, with attackers of high skill potentially leveraging this flaw.

What practical steps should be taken in response to this vulnerability?

Organizations should identify all instances of the affected software, restrict network access to it, and apply vendor patches promptly. Verifying system integrity and monitoring for any suspicious PowerShell activity are also crucial steps to mitigate risk.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.