CVE-2017-18362
📋 TL;DR
CVE-2017-18362 is an unauthenticated SQL injection vulnerability in ConnectWise ManagedITSync integration for Kaseya VSA that allows attackers to execute arbitrary SQL queries on the VSA database. This affects all organizations using ConnectWise ManagedITSync integration through 2017 with Kaseya VSA. Attackers have exploited this to deploy ransomware across all managed endpoints.
💻 Affected Systems
- ConnectWise ManagedITSync integration for Kaseya VSA
📦 What is this software?
Manageditsync by Connectwise
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all managed endpoints via ransomware deployment, data exfiltration, and persistent backdoor installation across the entire network.
Likely Case
Ransomware deployment across all managed endpoints leading to operational disruption, data encryption, and extortion demands.
If Mitigated
Limited impact if proper network segmentation and access controls prevent exploitation attempts.
🎯 Exploit Status
Actively exploited in the wild since February 2019 with ransomware payloads. Proof-of-concept code available in public repositories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Post-2017 versions with security updates
Vendor Advisory: https://helpdesk.kaseya.com/hc/en-gb/articles/360022495572-Connectwise-API-Vulnerability
Restart Required: Yes
Instructions:
1. Update to latest Kaseya VSA version with security patches. 2. Apply ConnectWise ManagedITSync integration updates. 3. Restart affected services. 4. Verify ManagedIT.asmx page is no longer accessible or properly secured.
🔧 Temporary Workarounds
Block ManagedIT.asmx Access
windowsRestrict access to the vulnerable ManagedIT.asmx page via web server configuration or firewall rules.
# For IIS: Remove or restrict ManagedIT.asmx in web.config
# Firewall rule to block access to /ManagedIT.asmx path
Network Segmentation
allIsolate Kaseya VSA server from internet and restrict internal access to authorized management networks only.
# Configure firewall to allow only specific source IPs to Kaseya VSA ports
🧯 If You Can't Patch
- Immediately block all external access to Kaseya VSA web interface at network perimeter.
- Implement strict network segmentation to isolate VSA server and limit internal access to only necessary administrative systems.
🔍 How to Verify
Check if Vulnerable:
Check if ManagedIT.asmx page is accessible via HTTP request to Kaseya VSA web interface without authentication.Check Version:
Check Kaseya VSA version in administrative console or via installed program version.Verify Fix Applied:
Verify ManagedIT.asmx page returns 404 error or requires authentication. Test SQL injection attempts are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL query patterns in database logs
- Access attempts to ManagedIT.asmx from unauthorized sources
- Rapid deployment of executables across multiple endpoints
Network Indicators:
- HTTP POST requests to /ManagedIT.asmx with SQL payloads
- Outbound connections from VSA server to suspicious external IPs
SIEM Query:
source="web_server" AND uri="/ManagedIT.asmx" AND (method="POST" OR status=200)🔗 References
- http://archive.today/rdkeQ
- https://github.com/kbni/owlky
- https://webcache.googleusercontent.com/search?q=cache:ZEo8ZRF_iEIJ:https://helpdesk.kaseya.com/hc/en-gb/articles/360022495572-Connectwise-API-Vulnerability+
- http://archive.today/rdkeQ
- https://github.com/kbni/owlky
- https://webcache.googleusercontent.com/search?q=cache:ZEo8ZRF_iEIJ:https://helpdesk.kaseya.com/hc/en-gb/articles/360022495572-Connectwise-API-Vulnerability+
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-18362
