CVE-2018-20753
Published: 05 February 2019
Summary
CVE-2018-20753 is a critical-severity an unspecified weakness vulnerability in Kaseya Virtual System Administrator. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
Kaseya VSA RMM, a remote monitoring and management platform, is affected by CVE-2018-20753 in versions prior to R9.3 9.3.0.35, R9.4 9.4.0.36, and R9.5 0.5. The flaw permits unauthenticated remote attackers to execute arbitrary PowerShell payloads across all devices under management, carrying a CVSS 3.1 base score of 9.8 that reflects network-accessible attack vectors with no required privileges or user interaction.
An attacker who reaches the VSA server can leverage the weakness to run code on every managed endpoint, resulting in full compromise of confidentiality, integrity, and availability on those systems. Because the payloads execute with the privileges of the management agent, the attacker effectively gains control over the entire customer fleet without needing credentials on individual devices.
Kaseya’s advisory and corresponding patches direct administrators to upgrade to the fixed builds listed above. The vulnerability is also catalogued in CISA’s Known Exploited Vulnerabilities list, underscoring the need for immediate remediation on any remaining unpatched instances.
Public reporting confirms that the issue was actively exploited in the wild as early as January 2018, with observed campaigns deploying cryptocurrency miners via the PowerShell execution path.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-13296
Vulnerability details
Kaseya VSA RMM before R9.3 9.3.0.35, R9.4 before 9.4.0.36, and R9.5 before 9.5.0.5 allows unprivileged remote attackers to execute PowerShell payloads on all managed devices. In January 2018, attackers actively exploited this vulnerability in the wild.
- CWE(s)
- KEV Date Added
- 13 April 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires organizations to apply the vendor-supplied patches that close the unauthenticated remote PowerShell execution flaw in Kaseya VSA before exploitation occurs.
Enforces access-control policy on the VSA management interface so that unauthenticated remote attackers cannot reach the code-execution path affecting all managed endpoints.
Mandates authentication, authorization, and encryption for all remote connections to the VSA server, directly blocking the network-accessible attack vector described in the CVE.