6-year-old Kaseya vulnerability surfaces amid VSA supply chain attack

6-year-old Kaseya vulnerability surfaces amid VSA supply chain attack

Allowed users to read server files containing usernames, passwords and the location of key databases.

Credit: Dreamstime

A six-year-old flaw lying in Kaseya’s deprecated billing and customer support site has surfaced amid the ongoing attempt to rectify a supply chain attack on the vendor's VSA product that has affected over 1000 businesses globally. 

Last week, the US-based IT infrastructure management solutions vendor discovered a potential security incident involving its VSA software, which is used by managed service providers (MSPs) to deliver IT management services to customers.  

John Hammond, senior security researcher at cyber security firm Huntress, said at the time that on 2 July, "many" Kaseya VSA servers were used to deploy ransomware, with the party behind the campaign appearing to be affiliated with the REvil group, which is believed to be linked with Russia.   

According to cyber security expert Brian Krebs, part of the chain involved the exploit CVE-2021-30116, which has been around since April. 

However, this isn’t the only dated Kaseya-related vulnerability to be concerned about, with a new report posted by Krebs on his KrebsOnSecurity site claiming that security incident response firm Mandiant notified the vendor about a six-year-old vulnerability that was still around in an older version of its billing and customer support portal. 

The vulnerability, CVE-2015-2862, was issued in July 2015 and is a “directory traversal vulnerability” in Kaseya VSA that "allows remote authenticated users to read arbitrary files via a crafted HTTP request”. 

Or in Krebs’ words, the exploit allows “remote users to read any files on the server using nothing more than a web browser”. 

According to comments Krebs received from Michael Sanders, executive VP of account management at Kaseya, the customer portal was taken offline due to a vulnerability report. 

Krebs also claimed Sanders said that although the portal was deprecated in 2018, the older site was still accessible online. 

However, the vulnerability may be worse than expected. Alex Holden, the person from which Mandiant heard about the vulnerability, as well as founder and CTO of cyber intelligence firm Hold Security, said he was able to access information without being an authenticated user, despite the CVE description. 

Krebs claims Holden was able to exploit CVE-2015-2862 to download the site’s web.config server component file, which typically contain usernames, passwords and the location of key databases. 

“It’s not like they forgot to patch something that Microsoft fixed years ago,” Holden said to KrebsOnSecurity. “It’s a patch for their own software. And it’s not zero-day. It’s from 2015!” 

KrebsOnSecurity claimed a written statement from Kaseya that it had seen said the portal was not involved with VSA product security incidents, and does not have access to any customer endpoints. 

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags kaseyaBrian KrebsKrebsOnSecurity


EDGE 2024

Register your interest now for EDGE 2024!



How MSPs can capitalise on integrating AI into existing services

How MSPs can capitalise on integrating AI into existing services

​Given the pace of change, scale of digitalisation and evolution of generative AI, partners must get ahead of the trends to capture the best use of innovative AI solutions to develop new service opportunities. For MSPs, integrating AI capabilities into existing service portfolios can unlock enhancements in key areas including managed hosting, cloud computing and data centre management. This exclusive Reseller News roundtable in association with rhipe, a Crayon company and VMware, focused on how partners can integrate generative AI solutions into existing service offerings and unlocking new revenue streams.

How MSPs can capitalise on integrating AI into existing services
Access4 holds inaugural A/NZ Annual Conference

Access4 holds inaugural A/NZ Annual Conference

​Access4 held its inaugural Annual Conference in Port Douglass, Queensland, for Australia and New Zealand from 9-11 October, hosting partners from across the region with presentations on Access4 product updates, its 2023 Partner of the Year awards and more.

Access4 holds inaugural A/NZ Annual Conference
Show Comments