Login Sign Up

CVE-2021-43033

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2021-43033 is a critical remote code execution vulnerability in Kaseya Unitrends Backup Appliance's bpserverd daemon that allows attackers to execute arbitrary commands as root. The vulnerability affects systems running vulnerable versions of the appliance, allowing complete system compromise. Organizations using Kaseya Unitrends Backup Appliance before version 10.5.5 are affected.

💻 Affected Systems

Products:
  • Kaseya Unitrends Backup Appliance
Versions: Versions before 10.5.5
Operating Systems: Linux-based appliance OS
Default Config Vulnerable: ⚠️ Yes
Notes: The bpserverd daemon runs with root privileges by default, making exploitation particularly dangerous.

📦 What is this software?

Unitrends Backup by Kaseya

View all CVEs affecting Unitrends Backup →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with root privileges, data exfiltration, ransomware deployment, and lateral movement to other systems.

🟠

Likely Case

Remote code execution leading to data theft, credential harvesting, and installation of persistent backdoors.

🟢

If Mitigated

Limited impact if network segmentation, strict access controls, and monitoring are in place to detect exploitation attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple public exploit write-ups and proof-of-concept code exist, making this easily exploitable by attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.5.5

Vendor Advisory: https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961

Restart Required: Yes

Instructions:

1. Backup all configurations and data. 2. Download and install version 10.5.5 from Kaseya support portal. 3. Apply the update following vendor instructions. 4. Restart the appliance to complete installation.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict network access to the bpserverd service (default port 1743) to only trusted management networks.

iptables -A INPUT -p tcp --dport 1743 -s TRUSTED_IP_RANGE -j ACCEPT
iptables -A INPUT -p tcp --dport 1743 -j DROP

🧯 If You Can't Patch

  • Immediately isolate the appliance from internet access and restrict to internal management networks only.
  • Implement strict network monitoring and IDS/IPS rules to detect exploitation attempts on port 1743.

🔍 How to Verify

Check if Vulnerable:

Check the appliance version via web interface or SSH: cat /etc/unitrends-release

Check Version:

cat /etc/unitrends-release

Verify Fix Applied:

Verify version is 10.5.5 or later and check that bpserverd service is running with updated binaries.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution from bpserverd
  • Suspicious commands in system logs
  • Failed authentication attempts to bpserverd

Network Indicators:

  • Unusual traffic to port 1743 from untrusted sources
  • Large data transfers from appliance

SIEM Query:

source="bpserverd.log" AND (process_execution OR command_injection)

📊 Metadata

CVE ID: CVE-2021-43033
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: December 6, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43033, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)