Cyber Resilience

CVE-2018-20753

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 05 February 2019

Published
05 February 2019
Modified
07 November 2025
KEV Added
13 April 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4793 97.8th percentile
Risk Priority 68 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-20753 is a critical-severity an unspecified weakness vulnerability in Kaseya Virtual System Administrator. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

Kaseya VSA RMM, a remote monitoring and management platform, is affected by CVE-2018-20753 in versions prior to R9.3 9.3.0.35, R9.4 9.4.0.36, and R9.5 0.5. The flaw permits unauthenticated remote attackers to execute arbitrary PowerShell payloads across all devices under management, carrying a CVSS 3.1 base score of 9.8 that reflects network-accessible attack vectors with no required privileges or user interaction.

An attacker who reaches the VSA server can leverage the weakness to run code on every managed endpoint, resulting in full compromise of confidentiality, integrity, and availability on those systems. Because the payloads execute with the privileges of the management agent, the attacker effectively gains control over the entire customer fleet without needing credentials on individual devices.

Kaseya’s advisory and corresponding patches direct administrators to upgrade to the fixed builds listed above. The vulnerability is also catalogued in CISA’s Known Exploited Vulnerabilities list, underscoring the need for immediate remediation on any remaining unpatched instances.

Public reporting confirms that the issue was actively exploited in the wild as early as January 2018, with observed campaigns deploying cryptocurrency miners via the PowerShell execution path.

EU & UK References

Vulnerability details

Kaseya VSA RMM before R9.3 9.3.0.35, R9.4 before 9.4.0.36, and R9.5 before 9.5.0.5 allows unprivileged remote attackers to execute PowerShell payloads on all managed devices. In January 2018, attackers actively exploited this vulnerability in the wild.

CWE(s)
KEV Date Added
13 April 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

kaseya
virtual system administrator
9.3 — 9.3.0.35 · 9.4 — 9.4.0.36 · 9.5 — 9.5.0.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires organizations to apply the vendor-supplied patches that close the unauthenticated remote PowerShell execution flaw in Kaseya VSA before exploitation occurs.

prevent

Enforces access-control policy on the VSA management interface so that unauthenticated remote attackers cannot reach the code-execution path affecting all managed endpoints.

AC-17 Remote Access partial match
prevent

Mandates authentication, authorization, and encryption for all remote connections to the VSA server, directly blocking the network-accessible attack vector described in the CVE.

References