CVE-2017-18362
Published: 05 February 2019
Summary
CVE-2017-18362 is a critical-severity SQL Injection (CWE-89) vulnerability in Connectwise Manageditsync. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
CVE-2017-18362 affects the ConnectWise ManagedITSync integration through 2017 for Kaseya VSA. The flaw stems from exposure of the ManagedIT.asmx page in the Kaseya VSA web interface, which permits unauthenticated remote execution of arbitrary SQL queries with both read and write access to the underlying database. The issue is classified under CWE-89 and carries a CVSS 3.1 base score of 9.8.
An attacker who can reach the affected page can issue direct SQL commands against the VSA database without supplying credentials. Successful exploitation grants full control over managed endpoint data and configuration, enabling actions such as deploying payloads across all systems monitored by the VSA server. In February 2019, threat actors actively used the vulnerability in the wild to download and execute ransomware on those endpoints.
Public references, including Kaseya advisory pages and related repositories, document the exposure and exploitation activity but do not detail specific patch versions or configuration changes within the supplied information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-9480
Vulnerability details
ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database. In February 2019, attackers have actively exploited this in the wild to download and execute ransomware…
more
payloads on all endpoints managed by the VSA server. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run arbitrary SQL queries, both read and write, without authentication.
- CWE(s)
- KEV Date Added
- 24 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks before any access to the ManagedIT.asmx page or execution of SQL queries against the VSA database.
Requires unique identification and authentication of users prior to allowing remote access to the Kaseya VSA web interface and its database functions.
Restricts network exposure of the VSA web interface and ManagedIT.asmx endpoint to only authorized sources, blocking unauthenticated remote SQL access.