cbcvebase.
CVE-2015-6589
published 2020-02-13

CVE-2015-6589: Directory traversal vulnerability in Kaseya Virtual System Administrator (VSA) 7.0.0.0 before 7.0.0.33, 8..0.0.0 before 8.0.0.23, 9.0.0.0 before 9.0.0.19, and…

PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
13.58%
96.0th percentile
Directory traversal vulnerability in Kaseya Virtual System Administrator (VSA) 7.0.0.0 before 7.0.0.33, 8..0.0.0 before 8.0.0.23, 9.0.0.0 before 9.0.0.19, and 9.1.0.0 before 9.1.0.9 allows remote authenticated users to write to and execute arbitrary files due to insufficient restrictions in file paths to json.ashx.

Affected

4 ranges
VendorProductVersion rangeFixed in
kaseyavirtual_system_administrator>= 7.0.0.0 < 7.0.0.337.0.0.33
kaseyavirtual_system_administrator>= 8.0.0.0 < 8.0.0.238.0.0.23
kaseyavirtual_system_administrator>= 9.0.0.0 < 9.0.0.199.0.0.19
kaseyavirtual_system_administrator>= 9.1.0.0 < 9.1.0.99.1.0.9

Detection & IOCsextracted from sources · hover to see the quote

url/vsapres/web20/json.ashx
path/vsapres/web20/json.ashx
path/vsapres/web20/core/login.aspx
filenameshell.asp
path../WebPages
  • Monitor for multipart POST requests to /vsapres/web20/json.ashx containing a 'directory' field with path traversal sequences (e.g., '../WebPages') and a 'request' field set to 'uploadFile'.
  • Alert on multipart form-data uploads to json.ashx where the 'directory' parameter contains '../' directory traversal sequences.
  • Detect upload of .asp or .aspx webshell files via the 'impinf__uploadfilelocation' form field in requests to json.ashx.
  • Look for the 'ReferringWebWindowId' parameter (GUID format) in POST requests to /vsapres/web20/json.ashx, which is required by the exploit to authenticate the upload.
  • Monitor for new .asp/.aspx files appearing directly under the Kaseya WebPages root directory, which would indicate a successful traversal-based upload.
  • Detect sequential GET requests to /vsapres/web20/core/login.aspx followed immediately by a POST to /vsapres/web20/json.ashx with a multipart upload — characteristic of the kazPwn exploit chain.
  • ·The exploit requires the attacker to be authenticated; an active VSA session cookie and a valid ReferringWebWindowId (GUID) must be obtained before the upload request is made.
  • ·The directory traversal path '../WebPages' assumes the default Kaseya installation path (C:\Kaseya\WebPages\); non-default install paths may require a different traversal string, and Kaseya reportedly discloses invalid paths in error responses.
  • ·CVE-2015-6589 (authenticated) is distinct from CVE-2015-6922 (unauthenticated upload and privilege escalation); detections should be scoped accordingly.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.