Security Experts:

Connect with us

Hi, what are you looking for?



Kaseya Releases Patches for Vulnerabilities Exploited in Ransomware Attack

IT management solutions provider Kaseya has released patches for the vulnerabilities exploited in the recent ransomware attack, and the company has also started restoring SaaS services.

IT management solutions provider Kaseya has released patches for the vulnerabilities exploited in the recent ransomware attack, and the company has also started restoring SaaS services.

Kaseya shut down its VSA remote monitoring and management product on July 2, shortly after learning of a ransomware attack targeting the company and its customers. The attackers exploited zero-day vulnerabilities in VSA to deliver REvil ransomware to the MSPs that use the product, as well as to their customers — it’s currently estimated that between 800 and 1,500 organizations were hit.

While only on-premises VSA installations were targeted, Kaseya also shut down SaaS services as a precaution. After its initial attempt to restore services failed, the company over the weekend released patches for the on-premises product and started restoration of SaaS services.

The latest update, provided by the company early on Monday morning, said SaaS services had been restored for 95% of customers.

As for the patch for on-premises installations, VSA 9.5.7a fixes a total of six security holes: a credentials leak and business logic flaw (CVE-2021-30116), an XSS vulnerability (CVE-2021-30119), a 2FA bypass issue (CVE-2021-30120), an issue related to secure flags not being used for user portal session cookies, a password hash exposure issue that could be useful for brute-force attacks, and an unauthorized file upload vulnerability.

The flaws that have been assigned a CVE identifier are three of the seven issues reported to Kaseya in April by the Dutch Institute for Vulnerability Disclosure (DIVD). Kaseya had patched some of the vulnerabilities before the REvil ransomware attack was launched, but some remained unfixed, enabling the attackers to exploit them to achieve their goals.

[Continuous Updates: Everything You Need to Know About the Kaseya Ransomware Attack]

It’s still unclear exactly which vulnerabilities were exploited, but DIVD said the attack involved two flaws, including one reported by its researchers.

According to managed detection and response company Huntress, which has monitored the attack and developed a proof-of-concept (PoC) exploit for the vulnerabilities used in the attack, the patch does appear to prevent exploitation. Huntress’ PoC is designed to exploit authentication bypass, arbitrary file upload and command injection vulnerabilities, but the firm noted that the attackers did not actually deliver an implant with their exploit, as its PoC does.

In addition to the actual patches, Kaseya has released a tool for on-premises customers that can be used to “clear any procedures that have accumulated prior to starting restarting your VSA.” The company has also released runbooks designed to help customers prepare for the rollout and restoration of services.

Bloomberg reported over the weekend that several former Kaseya employees claimed the company had poor security practices and often failed to fully address vulnerabilities. Some of the ex-employees also claimed that Kaseya products were abused to deploy ransomware on at least two occasions between 2018 and 2019.

Related: Emails Offering Kaseya Patches Deliver Malware

Related: Swedish Supermarket Closed by Kaseya Cyberattack

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...