CVE-2017-18362

What Is Kaseya VSA?

Kaseya VSA (Virtual System/Server Administrator) is a remote monitoring and management (RMM) platform used by managed service providers (MSPs) to manage client endpoints at scale. VSA agents are deployed on thousands of client machines per MSP customer, enabling centralized patch management, script execution, remote control, and monitoring. Because VSA has privileged agent access to all managed endpoints, a compromise of a Kaseya VSA server gives an attacker access to deploy code or ransomware across every managed client simultaneously — making MSP RMM platforms the highest-leverage target in the threat landscape.

Overview

CVE-2017-18362 is a critical SQL injection vulnerability in the ConnectWise ManagedITSync integration plugin for Kaseya VSA. The plugin exposes unauthenticated remote commands that allow direct, unrestricted access to the Kaseya VSA database — enabling an attacker to read all MSP and client data, extract credentials, modify configurations, and ultimately deploy malicious scripts to all managed endpoints. The affected product is end-of-life; CISA requires disconnecting it. Ransomware operators have exploited Kaseya VSA to deploy ransomware across MSP client networks simultaneously.

Affected Versions

ConnectWise ManagedITSync integration plugin for Kaseya VSA — versions before the November 2018 patched release. Organizations still running end-of-life Kaseya VSA with this plugin are at maximum risk and should immediately disconnect the system.

Technical Details

Root Cause: Unauthenticated SQL Injection in ManagedITSync Integration

CVE-2017-18362 is an SQL injection vulnerability (CWE-89) in the ConnectWise ManagedITSync plugin — a third-party integration that synchronizes data between Kaseya VSA and ConnectWise Manage (a PSA/ticketing platform used by MSPs). The plugin exposes HTTP endpoints that accept parameters passed directly into database queries without sanitization or authentication checks. An attacker can send crafted requests to these endpoints to:

• Execute arbitrary SQL queries against the Kaseya VSA database
• Read all VSA configuration data, agent credentials, and managed client information
• Extract administrator credentials and session tokens
• Modify VSA database records to create backdoor administrator accounts
• Trigger VSA to deploy malicious scripts/packages to all managed endpoints

MSP supply chain amplification: The devastating aspect of VSA compromise is the blast radius — a single Kaseya VSA server typically manages hundreds to thousands of endpoints across dozens of client organizations. Code deployed via VSA installs with system/root privileges on every managed machine simultaneously.

Attack Characteristics

Discovery

Discovered and reported to ConnectWise; patched in November 2018. The CVE was published in February 2019, over a year after the patch.

Exploitation Context

• MSP ransomware supply chain attacks: Ransomware operators specifically target MSP management platforms because compromising a single VSA server enables simultaneous ransomware deployment across all client organizations; this is more efficient than attacking individual targets
• REvil/Sodinokibi MSP campaigns: The REvil ransomware group conducted multiple campaigns specifically targeting Kaseya VSA and similar RMM platforms; while the high-profile July 2021 Kaseya VSA attack used CVE-2021-30116, earlier REvil MSP campaigns exploited older VSA vulnerabilities including CVE-2017-18362 on unpatched instances
• End-of-life status: The affected Kaseya VSA product has reached end-of-life; CISA's required action is disconnection rather than patching, reflecting that no further security updates are available
• CISA KEV (2022): Added May 24, 2022 reflecting continued exploitation of MSP infrastructure by ransomware operators

Remediation

1. Disconnect end-of-life Kaseya VSA immediately — if still running the affected EOL Kaseya VSA version with ConnectWise ManagedITSync, disconnect it from the network immediately; no security patch will be provided for EOL software.

2. Migrate to Kaseya VSA 10 or alternative RMM — migrate to a currently supported RMM platform with an active security patch program; evaluate Kaseya VSA 10 (cloud-hosted) or alternative MSP RMM platforms (NinjaRMM, ConnectWise Automate, Datto RMM).

3. Audit for compromise indicators — if CVE-2017-18362 may have been exploited, treat all managed endpoints as potentially compromised; audit for unexpected scripts, scheduled tasks, and software deployments pushed via VSA.

4. Restrict RMM access — regardless of platform, ensure MSP RMM management interfaces are never internet-accessible; require VPN or allowlisted IP access for all administrator connections.

5. Enable MFA on all RMM admin accounts — MSP management platforms must have multi-factor authentication on all administrator accounts to limit the impact of credential theft.