Cyber Resilience

CVE-2017-18362

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 05 February 2019

Published
05 February 2019
Modified
05 November 2025
KEV Added
24 May 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8113 99.2th percentile
Risk Priority 88 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-18362 is a critical-severity SQL Injection (CWE-89) vulnerability in Connectwise Manageditsync. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2017-18362 affects the ConnectWise ManagedITSync integration through 2017 for Kaseya VSA. The flaw stems from exposure of the ManagedIT.asmx page in the Kaseya VSA web interface, which permits unauthenticated remote execution of arbitrary SQL queries with both read and write access to the underlying database. The issue is classified under CWE-89 and carries a CVSS 3.1 base score of 9.8.

An attacker who can reach the affected page can issue direct SQL commands against the VSA database without supplying credentials. Successful exploitation grants full control over managed endpoint data and configuration, enabling actions such as deploying payloads across all systems monitored by the VSA server. In February 2019, threat actors actively used the vulnerability in the wild to download and execute ransomware on those endpoints.

Public references, including Kaseya advisory pages and related repositories, document the exposure and exploitation activity but do not detail specific patch versions or configuration changes within the supplied information.

EU & UK References

Vulnerability details

ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database. In February 2019, attackers have actively exploited this in the wild to download and execute ransomware…

more

payloads on all endpoints managed by the VSA server. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run arbitrary SQL queries, both read and write, without authentication.

CWE(s)
KEV Date Added
24 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

connectwise
manageditsync
≤ 2017

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization checks before any access to the ManagedIT.asmx page or execution of SQL queries against the VSA database.

prevent

Requires unique identification and authentication of users prior to allowing remote access to the Kaseya VSA web interface and its database functions.

prevent

Restricts network exposure of the VSA web interface and ManagedIT.asmx endpoint to only authorized sources, blocking unauthenticated remote SQL access.

References