cbcvebase.
CVE-2015-2863
published 2015-07-20

CVE-2015-2863: Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 before 9.0.0.14, and 9.1 before 9.1.0.4…

PriorityP265medium4.3CVSS 2.0
AVNACMAuNCNIPAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
10.32%
95.1th percentile
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 before 9.0.0.14, and 9.1 before 9.1.0.4 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

Affected

4 ranges
VendorProductVersion rangeFixed in
kaseyavirtual_system_administrator>= 7.0 < 7.0.0.297.0.0.29
kaseyavirtual_system_administrator>= 8.0 < 8.0.0.188.0.0.18
kaseyavirtual_system_administrator>= 9.0 < 9.0.0.149.0.0.14
kaseyavirtual_system_administrator>= 9.1 < 9.1.0.49.1.0.4

Detection & IOCsextracted from sources · hover to see the quote

url/inc/supportLoad.asp?urlToLoad=http://oast.me
url/vsaPres/Web20/core/LocalProxy.ashx?url=http://oast.me
path/inc/supportLoad.asp
path/vsaPres/Web20/core/LocalProxy.ashx
  • Detect open redirect exploitation via the 'urlToLoad' parameter in supportLoad.asp — monitor GET requests to /inc/supportLoad.asp with an external URL value in the urlToLoad query parameter.
  • Detect open redirect exploitation via the 'url' parameter in LocalProxy.ashx — monitor GET requests to /vsaPres/Web20/core/LocalProxy.ashx with an external URL value; attacker must also spoof the Host header to the target.
  • Both redirect endpoints are unauthenticated — no session cookie or login is required to trigger the redirect, making them accessible to any remote attacker.
  • ·The LocalProxy.ashx vector requires the attacker to spoof the HTTP Host header to the target Kaseya VSA host; detections relying solely on the Host header value may miss this attack variant.
  • ·Affected versions span a wide range (at least v7 to v9.1); version fingerprinting alone is insufficient since the exact lower bound of affected versions is unknown.

CVSS provenance

nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.