Security Researchers Alert of Unpatched Kaseya Backup Vulnerabilities

Researchers alert of three new zero-day vulnerabilities in Kaseya. Unitrends services and advise users not to reveal the service on the Internet. Kaseya Unitrends is a cloud-based enterprise backup and disaster recovery solution that is provided as a stand-alone solution or as an add-on for the Kaseya VSA remote management platform.

In last week, the Dutch Institute for Vulnerability Disclosure (DIVD) expressed a TLP: AMBER advisory about three unpatched vulnerabilities in Kaseya Unitrends backup products. Whereas, DIVI releases this advisory under the TLP: AMBER designation, DIVD chairperson Victor Gevers told our experts that it was originally transmitted with 68 government CERTs under a coordinated disclosure.

Although, one of the receivers uploaded it to an online examination platform, where it became public to those with access to the service. “After two days, an Information Sharing and Analysis Center warned us that one of the GovCERTs has transmitted the email to an association’s services desk operating in the Financial Service in that country,” Gevers told our experts.

“An employee of an organization uploaded the TLP: AMBER labeled directly to an online examine platform and transmitted it’s data to all the users of that platform; because we do not have an account on that platform, we urgently urged for removing this file.”

What are the Kaseya Unitrends Vulnerabilities?

In previous days, DIVD released a public advisory alerting that zero-day vulnerabilities have been founded in Kaseya Unitrends versions earlier than 10.5.2 and to not reveal the service on the Internet.

“Do not disclose this service or the clients (working on default ports 80, 443, 1743, 1745) directly to the internet until or unless Kaseya has patched these vulnerabilities,” mentioned in DIVD’s advisory.

The vulnerabilities are directly impacting the Kaseya Unitrends backup services which consist up of a combination of unauthenticated remote code execution, authenticated privilege escalation, and unauthenticated remote code execution on the client-side.

Why these Vulnerabilities are more difficult to Exploit?

Unlike the Kaseya VSA zero-day utilization as part of the July 2nd REvil ransomware attack, these vulnerabilities are more difficult to exploit.

That’s the reason a threat actor would require a valid user to execute remote code execution or privilege escalation on the publicly disclosed Kaseya Unitrends service. Moreover, the threat actor would already be required to have hijacked a customer network to exploit the unauthenticated client RCE.


DIVD discovered the vulnerabilities on July 2nd, 2021, and revealed them to Kaseya on the 3rd of July. On the 14th of July, DIVD starts scanning the Internet for exposed Kaseya Unitrends instances to discover vulnerable systems.

DIVD will try to inform owners of vulnerable systems to get them offline until a patch is released. Gevers told our experts that the amount of vulnerable instances is very low, but they have been in the critical case of industries.

Our experts tried to reach to Kaseya to know when the patch will be released but have not got any revert at this time.

Leave a Reply