Skip to the content.

DIVD-2021-00002 - Kaseya VSA

Our reference DIVD-2021-00002
Case lead Frank Breedijk
Author Victor GeversLennaert Oudshoorn
Researcher(s)
CVE(s)
Product Kaseya VSA
Versions All on-premise Kaseya VSA versions.
Recommendation Disable the on-premise Kaseya VSA servers immediately.
Status Open

Summary

On 2 July 2021, Kaseya published a notification advising to disable your on-premise Kaseya VSA servers immediately.

What you can do

Follow the official advisory from Kaseya:

We recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us.

Its critical that you do this immediately, because one of the first things the attacker does is shut off administrative access to the VSA.

What we are doing

The Dutch Institute for Vulnerability Disclosure (DIVD) performs a daily scan to detect vulnerable Kaseya VSA servers and notify the owners directly or via the known abuse channels, Gov-CERTs, and other trusted channels.

We have identified this server by downloading the paths ‘/’, ‘/api/v1.5/cw/environment’ and ‘/install/kaseyalatestversion.xml’ and matching patterns in these files.

Timeline

Date Description
02-07-2021 Kaseya publishes their advisory
02-07-2021 DIVD start scanning to identify exposed Kaseya VSA servers
03-07-2021 DIVD has sent out notifications to the listed abuse addresses of all exposed Kaseya VSA servers found online

More information