CVE-2017-18362 — Kaseya VSA SQL Injection Vulnerability
2022-05-24 • CISA Known Exploited Vulnerability
[event] ConnectWise ManagedITSync integration for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database.
> AFFECTED SOFTWARE
| Field | Value |
|---|---|
| Vendor | Kaseya |
| Product | Virtual System/Server Administrator (VSA) |
| CWE | CWE-89 |
| CVE ID | CVE-2017-18362 |
| Date Added | 2022-05-24 |
| Due Date | 2022-06-14 |
| Ransomware Campaign | Known — this vulnerability has been leveraged in ransomware campaigns |
> MITIGATION
The impacted product is end-of-life and should be disconnected if still in use.
Due Date: 2022-06-14