The unpatched flaws include RCE and authenticated privilege escalation on the client-side: Just the latest woe for the ransomware-walloped MSP.
There are three new, unpatched zero-day vulnerabilities in Kaseya Unitrends that include remote code execution (RCE) and authenticated privilege escalation on the client-side.
The Dutch Institute for Vulnerability Disclosure (DIVD) on Monday issued a public advisory warning that the service and clients should be kept off the internet until there’s a patch.
Kaseya Unitrends is a cloud-based enterprise backup and disaster recovery technology that’s delivered as either disaster recovery-as-a-service (DRaaS) or as an add-on for the Kaseya Virtual System/Server Administrator (VSA) remote management platform. The flaws are in versions earlier than 10.5.2.
DIVD experts disclosed the three flaws last week.
DIVD Chairman Victor Gevers told BleepingComputer that it’s only found a small number of vulnerable servers, but those vulnerable instances are located “in sensitive industries.”
Gevers explained the advisory was originally shared with 68 government CERTs as an amber alert under a coordinated disclosure. One of the recipients went on to share it with an organization’s Financial Services service desk. From there, an employee published DIVD’s amber alert on an online analyzing platform, where it became public.
“An employee uploaded the TLP: AMBER labeled directly to an online analyzing platform and shared its content to all participants of that platform,” Gevers told the outlet. “Because we do not have an account on that platform, we immediately requested removing this file.”