cbcvebase.
CVE-2015-6922
published 2020-02-17

CVE-2015-6922: Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.33, 8.x before 8.0.0.23, 9.0 before 9.0.0.19, and 9.1 before 9.1.0.9 does not properly require…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
82.10%
99.6th percentile
Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.33, 8.x before 8.0.0.23, 9.0 before 9.0.0.19, and 9.1 before 9.1.0.9 does not properly require authentication, which allows remote attackers to bypass authentication and (1) add an administrative account via crafted request to LocalAuth/setAccount.aspx or (2) write to and execute arbitrary files via a full pathname in the PathData parameter to ConfigTab/uploader.aspx.

Affected

4 ranges
VendorProductVersion rangeFixed in
kaseyavirtual_system_administrator>= 7.0.0.0 < 7.0.0.337.0.0.33
kaseyavirtual_system_administrator>= 8.0.0.0 < 8.0.0.238.0.0.23
kaseyavirtual_system_administrator>= 9.0.0.0 < 9.0.0.199.0.0.19
kaseyavirtual_system_administrator>= 9.1.0.0 < 9.1.0.99.1.0.9

Detection & IOCsextracted from sources · hover to see the quote

url/LocalAuth/setAccount.aspx
url/ConfigTab/serverfiles.asp
cookiesessionId=
pathC:\Kaseya\WebPages\
pathC:\Program Files\Kaseya\WebPages\
pathC:\Program Files (x86)\Kaseya\WebPages\
url/vsapres/web20/json.ashx
url/vsapres/web20/core/login.aspx
commandPOST /LocalAuth/setAccount.aspx sessionVal=&adminName=&NewPassword=&confirm=&[email protected]&setAccount=Create
  • Detect unauthenticated GET requests to /ConfigTab/uploader.aspx or /ConfigTab/serverfiles.asp — the server issues a 302 redirect to /mainLogon.asp?logout= but also sets a valid sessionId cookie, which attackers harvest for subsequent unauthenticated file upload.
  • Alert on POST requests to /LocalAuth/setAccount.aspx containing the parameter setAccount=Create — this is the unauthenticated Master Administrator account creation exploit.
  • Monitor for .asp file creation under Kaseya WebPages directories (C:\Kaseya\WebPages\, C:\Program Files\Kaseya\WebPages\, etc.) by the IUSR account, which indicates successful webshell deployment via the uploader.aspx vulnerability.
  • The exploit response check for successful upload is the JSON string '"success": "true"' in the HTTP 200 response body from /ConfigTab/uploader.aspx — monitor for this pattern in web server logs.
  • ·The uploader.aspx endpoint issues a 302 redirect to /mainLogon.asp?logout= for unauthenticated requests, but still sets a valid sessionId cookie in the response. Attackers intentionally ignore the redirect and extract the sessionId from the 302 response to use in the subsequent file upload POST — network controls that only block non-302 unauthenticated access are insufficient.
  • ·The PathData parameter accepts a full absolute Windows path; the application discloses whether a given path exists or not, allowing attackers to enumerate valid installation directories before uploading. Detection rules should cover all common drive letters (C:, D:, E:) and both 32-bit and 64-bit Program Files paths.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.