cbcvebase.
CVE-2013-10034
published 2025-07-31

CVE-2013-10034: An unrestricted file upload vulnerability exists in Kaseya KServer versions prior to 6.3.0.2. The uploadImage.asp endpoint allows unauthenticated users to…

PriorityP277critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
2.29%
81.0th percentile
An unrestricted file upload vulnerability exists in Kaseya KServer versions prior to 6.3.0.2. The uploadImage.asp endpoint allows unauthenticated users to upload files to arbitrary paths via a crafted filename parameter in a multipart/form-data POST request. Due to the lack of authentication and input sanitation, an attacker can upload a file with an .asp extension to a web-accessible directory, which can then be invoked to execute arbitrary code with the privileges of the IUSR account. The vulnerability enables remote code execution without prior authentication and was resolved in version 6.3.0.2 by removing the vulnerable uploadImage.asp endpoint.

Affected

1 ranges
VendorProductVersion rangeFixed in
kaseyakserver< 6.3.0.26.3.0.2

Detection & IOCsextracted from sources · hover to see the quote

url/uploadImage.asp
pathuploadImage.asp
filename*.asp (uploaded via crafted filename parameter)
  • Monitor for unauthenticated POST requests to /uploadImage.asp with multipart/form-data content-type, especially those containing a crafted filename parameter with an .asp extension.
  • Alert on .asp files appearing in web-accessible directories on Kaseya KServer hosts, particularly those created by the IUSR account, as this indicates successful exploitation.
  • Exploit module available in Metasploit Framework; hunt for exploitation attempts using the module path windows/http/kaseya_uploadimage_file_upload.
  • ·The vulnerability only affects Kaseya KServer versions strictly prior to 6.3.0.2; the fix was implemented by removing the vulnerable endpoint entirely rather than patching it.
  • ·Exploitation results in code execution under the IUSR account (low-privilege IIS anonymous user), not SYSTEM; post-exploitation privilege escalation may follow.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.