Login Sign Up

CVE-2021-40386

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2021-40386 is a critical remote code execution vulnerability in Kaseya Unitrends Client/Agent software. Attackers can exploit this to execute arbitrary code on affected systems, potentially gaining full control. Organizations using Kaseya Unitrends backup solutions through version 10.5.5 are affected.

💻 Affected Systems

Products:
  • Kaseya Unitrends Client
  • Kaseya Unitrends Agent
Versions: Through 10.5.5
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects both client and agent components of the Unitrends backup solution.

📦 What is this software?

Unitrends Backup by Kaseya

View all CVEs affecting Unitrends Backup →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to deploy ransomware, steal sensitive backup data, and pivot to other network systems.

🟠

Likely Case

Attackers gain initial foothold on backup servers, potentially leading to data exfiltration, ransomware deployment, or lateral movement within the network.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, though backup systems remain at risk of compromise.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

This vulnerability was actively exploited in the wild during the Kaseya supply chain attack in July 2021.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.5.5 and later versions

Vendor Advisory: https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021

Restart Required: Yes

Instructions:

1. Immediately update all Kaseya Unitrends installations to version 10.5.5 or later. 2. Follow Kaseya's emergency patch instructions. 3. Restart affected services after patching.

🔧 Temporary Workarounds

Network Isolation

all

Isolate Kaseya Unitrends servers from internet access and restrict internal network access.

Configure firewall rules to block inbound connections to Unitrends ports (typically 80, 443, 1743)

Service Disablement

all

Temporarily disable Unitrends services if patching cannot be immediately performed.

Windows: sc stop "Unitrends Agent"
Linux: systemctl stop unitrends-agent

🧯 If You Can't Patch

  • Immediately isolate affected systems from all network access
  • Implement strict network segmentation and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check Unitrends version in administration console or via agent status commands.

Check Version:

Windows: wmic product where name="Unitrends" get version
Linux: dpkg -l | grep unitrends or rpm -qa | grep unitrends

Verify Fix Applied:

Verify version is 10.5.5 or later and check for successful service restart.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution from Unitrends directories
  • Failed authentication attempts followed by successful exploitation
  • Unexpected network connections from Unitrends systems

Network Indicators:

  • Unusual outbound connections from backup servers
  • Traffic to known malicious IPs from Unitrends systems
  • Anomalous port activity on Unitrends default ports

SIEM Query:

source="unitrends*" AND (event_type="process_execution" OR event_type="network_connection") AND (process_path="*\Unitrends\*" OR dest_port IN (80, 443, 1743))

📊 Metadata

CVE ID: CVE-2021-40386
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: April 15, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON