Login Sign Up

CVE-2015-6922

9.8 CRITICAL
Remote Code Execution Authentication Bypass

📋 TL;DR

CVE-2015-6922 is an authentication bypass vulnerability in Kaseya VSA that allows remote attackers to add administrative accounts or upload and execute arbitrary files without authentication. This affects Kaseya VSA versions 7.x before 7.0.0.33, 8.x before 8.0.0.23, 9.0 before 9.0.0.19, and 9.1 before 9.1.0.9. Organizations using these vulnerable versions are at risk of complete system compromise.

💻 Affected Systems

Products:
  • Kaseya Virtual System Administrator (VSA)
Versions: 7.x before 7.0.0.33, 8.x before 8.0.0.23, 9.0 before 9.0.0.19, 9.1 before 9.1.0.9
Operating Systems: Windows Server (primary deployment)
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations of affected versions are vulnerable. Kaseya VSA is typically deployed as a management server for IT administration.

📦 What is this software?

Virtual System Administrator by Kaseya

View all CVEs affecting Virtual System Administrator →

Virtual System Administrator by Kaseya

View all CVEs affecting Virtual System Administrator →

Virtual System Administrator by Kaseya

View all CVEs affecting Virtual System Administrator →

Virtual System Administrator by Kaseya

View all CVEs affecting Virtual System Administrator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover: attackers can create admin accounts, upload malware, execute arbitrary code, and gain persistent access to all managed systems.

🟠

Likely Case

Ransomware deployment, data theft, or lateral movement across the network using the compromised Kaseya infrastructure.

🟢

If Mitigated

Limited impact if systems are isolated, but still significant risk due to authentication bypass.

🌐 Internet-Facing: HIGH - Exploitation requires no authentication and can be performed remotely over HTTP/HTTPS.
🏢 Internal Only: HIGH - Even internally, the authentication bypass allows complete compromise of the Kaseya management system.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit code is publicly available on Exploit-DB and other sources. The vulnerability requires only HTTP requests to specific endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.0.0.33, 8.0.0.23, 9.0.0.19, 9.1.0.9 or later

Vendor Advisory: https://helpdesk.kaseya.com/entries/96164487--Kaseya-Security-Advisory

Restart Required: Yes

Instructions:

1. Download the appropriate patch from Kaseya support portal. 2. Backup current configuration and database. 3. Apply the patch following Kaseya's installation guide. 4. Restart the Kaseya VSA service. 5. Verify the patch applied successfully.

🔧 Temporary Workarounds

Block Vulnerable Endpoints

windows

Temporarily block access to the vulnerable ASPX endpoints via web server configuration or firewall rules.

# IIS URL Rewrite rule to block LocalAuth/setAccount.aspx and ConfigTab/uploader.aspx
# Add to web.config in system.webServer section:
# <rewrite><rules><rule name="BlockVulnerableEndpoints" stopProcessing="true"><match url="^(LocalAuth/setAccount\.aspx|ConfigTab/uploader\.aspx)" /><action type="AbortRequest" /></rule></rules></rewrite>

Network Segmentation

windows

Isolate Kaseya VSA server from internet and restrict access to trusted management networks only.

# Firewall rules to restrict access (example for Windows Firewall):
netsh advfirewall firewall add rule name="RestrictKaseya" dir=in action=allow protocol=TCP localport=80,443 remoteip=192.168.1.0/24,10.0.0.0/8

🧯 If You Can't Patch

  • Immediately isolate the Kaseya VSA server from all untrusted networks, especially the internet.
  • Implement strict network access controls, allowing only necessary administrative traffic from trusted IP ranges.

🔍 How to Verify

Check if Vulnerable:

Check Kaseya VSA version via the web interface (Help > About) or examine installed version in Programs and Features. Compare against affected versions.

Check Version:

Check via Kaseya web interface or examine registry: HKEY_LOCAL_MACHINE\SOFTWARE\Kaseya\Agent\Version

Verify Fix Applied:

Verify version is 7.0.0.33+, 8.0.0.23+, 9.0.0.19+, or 9.1.0.9+. Test authentication requirements for LocalAuth/setAccount.aspx and ConfigTab/uploader.aspx endpoints.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to /LocalAuth/setAccount.aspx or /ConfigTab/uploader.aspx without prior authentication
  • Unusual account creation events in Kaseya audit logs
  • File uploads to unexpected paths via uploader.aspx

Network Indicators:

  • HTTP POST requests to vulnerable endpoints from unexpected source IPs
  • Unusual outbound connections from Kaseya server following exploitation

SIEM Query:

source="kaseya" AND (url="*setAccount.aspx" OR url="*uploader.aspx") AND NOT user="*"

📊 Metadata

CVE ID: CVE-2015-6922
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-287
Published: February 17, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-6922, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2026-20127 10.0

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager al...

Same vulnerability type (CWE-287)