Skip to the content.

DIVD-2021-00014 - Kaseya Unitrends

Our reference DIVD-2021-00014
Case lead Victor Gevers
Researcher(s)
CVE(s)
  • n/a
Product Kaseya Unitrends
Versions
  • Server < 10.5.5-2
  • Client, currently unpatched all versions likely vulnerable
Recommendation Do not expose this service or the clients directly to the internet until Kaseya has patched these vulnerabilities.
Patch status Server side vulnerabilities patched in v10.5.5-2, no patches available for the client
Workaround Workaround available for the client, in Kaseya knowledge base
Status Open

Summary

A DIVD researcher has identified three vulnerabilities in the Kaseya Unitrends backup product.

Server software prior to v10.5.5-2 is vulnerable to:

Client software (any version) is currently vulnerable to:

What you can do

Patch server software to at least version 10.5.5-2 to remove these vulnerabilities. As per Kaseya’s firewall requirements you are strongly advised not to expose this product to public internet.

The client side vulnerability can current only be mitigated with firewall rules. Filter traffic to and from the client using the recommened mitigation from the knowledge base article.

What we are doing

The Dutch Institute for Vulnerability Disclosure (DIVD) performs a daily scan to detect vulnerable Kaseya Unitrends servers and notify the owners directly or via the known abuse channels, Gov-CERTs and CSIRTs, and other trusted channels.

Timeline

Date Description
02 Jul 2021 Vulnerabilities discovered.
03 Jul 2021 Vendor informed.
14 Jul 2021 Scanning internet-facing implementations.
15 Jul 2021 Start of the identification of possible vulnerable internet-facing systems.
12 Aug 2021 Patches relesed for the Unitrends server (v10.5.5-2) that address these vulnerabilities
06 Sep 2021 Added official CVE numbers to this case and site