Connect with us

Hi, what are you looking for?



Kaseya Releases Patches for Vulnerabilities Exploited in Ransomware Attack

IT management solutions provider Kaseya has released patches for the vulnerabilities exploited in the recent ransomware attack, and the company has also started restoring SaaS services.

IT management solutions provider Kaseya has released patches for the vulnerabilities exploited in the recent ransomware attack, and the company has also started restoring SaaS services.

Kaseya shut down its VSA remote monitoring and management product on July 2, shortly after learning of a ransomware attack targeting the company and its customers. The attackers exploited zero-day vulnerabilities in VSA to deliver REvil ransomware to the MSPs that use the product, as well as to their customers — it’s currently estimated that between 800 and 1,500 organizations were hit.

While only on-premises VSA installations were targeted, Kaseya also shut down SaaS services as a precaution. After its initial attempt to restore services failed, the company over the weekend released patches for the on-premises product and started restoration of SaaS services.

The latest update, provided by the company early on Monday morning, said SaaS services had been restored for 95% of customers.

As for the patch for on-premises installations, VSA 9.5.7a fixes a total of six security holes: a credentials leak and business logic flaw (CVE-2021-30116), an XSS vulnerability (CVE-2021-30119), a 2FA bypass issue (CVE-2021-30120), an issue related to secure flags not being used for user portal session cookies, a password hash exposure issue that could be useful for brute-force attacks, and an unauthorized file upload vulnerability.

The flaws that have been assigned a CVE identifier are three of the seven issues reported to Kaseya in April by the Dutch Institute for Vulnerability Disclosure (DIVD). Kaseya had patched some of the vulnerabilities before the REvil ransomware attack was launched, but some remained unfixed, enabling the attackers to exploit them to achieve their goals.

[Continuous Updates: Everything You Need to Know About the Kaseya Ransomware Attack]

It’s still unclear exactly which vulnerabilities were exploited, but DIVD said the attack involved two flaws, including one reported by its researchers.

Advertisement. Scroll to continue reading.

According to managed detection and response company Huntress, which has monitored the attack and developed a proof-of-concept (PoC) exploit for the vulnerabilities used in the attack, the patch does appear to prevent exploitation. Huntress’ PoC is designed to exploit authentication bypass, arbitrary file upload and command injection vulnerabilities, but the firm noted that the attackers did not actually deliver an implant with their exploit, as its PoC does.

In addition to the actual patches, Kaseya has released a tool for on-premises customers that can be used to “clear any procedures that have accumulated prior to starting restarting your VSA.” The company has also released runbooks designed to help customers prepare for the rollout and restoration of services.

Bloomberg reported over the weekend that several former Kaseya employees claimed the company had poor security practices and often failed to fully address vulnerabilities. Some of the ex-employees also claimed that Kaseya products were abused to deploy ransomware on at least two occasions between 2018 and 2019.

Related: Emails Offering Kaseya Patches Deliver Malware

Related: Swedish Supermarket Closed by Kaseya Cyberattack

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.