CVE-2018-20753
published 2019-02-05CVE-2018-20753: Kaseya VSA RMM before R9.3 9.3.0.35, R9.4 before 9.4.0.36, and R9.5 before 9.5.0.5 allows unprivileged remote attackers to execute PowerShell payloads on all…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-04
Exploited in the wild
EPSS
29.55%
98.0th percentile
Kaseya VSA RMM before R9.3 9.3.0.35, R9.4 before 9.4.0.36, and R9.5 before 9.5.0.5 allows unprivileged remote attackers to execute PowerShell payloads on all managed devices. In January 2018, attackers actively exploited this vulnerability in the wild.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kaseya | virtual_system_administrator | >= 9.3 < 9.3.0.35 | 9.3.0.35 |
| kaseya | virtual_system_administrator | >= 9.4 < 9.4.0.36 | 9.4.0.36 |
| kaseya | virtual_system_administrator | >= 9.5 < 9.5.0.5 | 9.5.0.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthorized PowerShell payload execution originating from Kaseya VSA RMM agent processes on managed endpoints, which may indicate exploitation of unauthenticated remote code execution ↗
- →This vulnerability was actively exploited in the wild starting January 2018; prioritize hunting for suspicious PowerShell activity on VSA-managed devices from that period onward ↗
- ·Vulnerable versions span three release branches; ensure patching covers all deployed branches: R9.3 before 9.3.0.35, R9.4 before 9.4.0.36, and R9.5 before 9.5.0.5 ↗
- ·The attack surface is amplified by the RMM architecture: a single compromised VSA server can push malicious PowerShell payloads to ALL managed devices, not just the VSA host itself ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Kaseya VSA Remote Code Execution Vulnerability
cisa·2022-04-13·CVSS 9.8
CVE-2018-20753 [CRITICAL] Kaseya VSA Remote Code Execution Vulnerability
Vulnerability: Kaseya VSA Remote Code Execution Vulnerability
Affected: Kaseya Virtual System/Server Administrator (VSA)
Kaseya VSA RMM allows unprivileged remote attackers to execute PowerShell payloads on all managed devices.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-20753
Remediation Due Date: 2022-05-04
GHSA
GHSA-hhg2-f289-m44w: Kaseya VSA RMM before R9
ghsa_unreviewed·2022-05-13
CVE-2018-20753 [CRITICAL] GHSA-hhg2-f289-m44w: Kaseya VSA RMM before R9
Kaseya VSA RMM before R9.3 9.3.0.35, R9.4 before 9.4.0.36, and R9.5 before 9.5.0.5 allows unprivileged remote attackers to execute PowerShell payloads on all managed devices. In January 2018, attackers actively exploited this vulnerability in the wild.
VulnCheck
Kaseya VSA Remote Code Execution Vulnerability
vulncheck·2018·CVSS 9.8
CVE-2018-20753 [CRITICAL] Kaseya VSA Remote Code Execution Vulnerability
Kaseya VSA Remote Code Execution Vulnerability
Kaseya VSA RMM allows unprivileged remote attackers to execute PowerShell payloads on all managed devices.
Affected: Kaseya Virtual System/Server Administrator (VSA)
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://medium.com/huntresslabs/deep-dive-kaseya-vsa-mining-payload-c0ac839a0e88; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-05-04
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://blog.huntresslabs.com/deep-dive-kaseya-vsa-mining-payload-c0ac839a0e88https://helpdesk.kaseya.com/hc/en-gb/articles/360000333152https://blog.huntresslabs.com/deep-dive-kaseya-vsa-mining-payload-c0ac839a0e88https://helpdesk.kaseya.com/hc/en-gb/articles/360000333152https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-20753
2019-02-05
Published
2022-04-13
Added to CISA KEV
Exploited in the wild