CVE-2017-18362 in ManagedITSync
Summary
by MITRE
ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database. In February 2019, attackers have actively exploited this in the wild to download and execute ransomware payloads on all endpoints managed by the VSA server. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run arbitrary SQL queries, both read and write, without authentication.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/05/2025
The vulnerability identified as CVE-2017-18362 represents a critical authentication bypass flaw in ConnectWise ManagedITSync integration for Kaseya VSA versions through 2017. This issue stems from improper access controls within the ManagedIT.asmx web service endpoint, which exposes database interaction capabilities without requiring any form of authentication or authorization. The flaw exists at the application layer where the web service interface fails to implement proper security measures to verify user identities before executing database operations. According to CWE-287, this vulnerability falls under improper authentication, specifically where the system allows unauthorized access to privileged functions through the absence of adequate authentication mechanisms. The vulnerability is particularly dangerous because it provides attackers with direct database access, effectively granting them complete control over the Kaseya VSA environment.
The technical exploitation of this vulnerability occurs through the ManagedIT.asmx page, which serves as an entry point for database interactions within the Kaseya VSA infrastructure. When this page is accessible via the web interface, attackers can directly submit SQL queries without authentication requirements, enabling both read and write operations against the underlying database. This unauthenticated access allows for comprehensive data extraction, modification, and deletion operations that can completely compromise the integrity and availability of the managed endpoints. The vulnerability aligns with ATT&CK technique T1078.004, which describes valid accounts usage, but in this case the access is achieved through a flaw rather than legitimate credentials. The flaw essentially creates a backdoor that bypasses all normal authentication procedures and provides attackers with direct database shell access.
The operational impact of this vulnerability became evident during the 2019 exploitation campaign when threat actors actively leveraged this weakness to deploy ransomware payloads across managed endpoints. This exploitation demonstrates how a single authentication bypass can lead to complete system compromise and data encryption. The attackers utilized the unauthenticated database access to install malicious software on all endpoints managed by the compromised Kaseya VSA server, resulting in widespread ransomware deployment and significant business disruption. The vulnerability's exploitation aligns with ATT&CK technique T1486, which covers data encryption for ransom, as the attackers were able to encrypt data across multiple managed systems. The impact extends beyond immediate data compromise to include operational downtime, financial losses, and potential regulatory compliance violations due to the unauthorized access and data manipulation capabilities.
Mitigation strategies for CVE-2017-18362 require immediate implementation of network segmentation and access controls to restrict exposure of the ManagedIT.asmx endpoint. Organizations should implement proper authentication mechanisms and authorization controls for all database access points, ensuring that only authorized users can execute database operations. The vulnerability highlights the importance of regular security assessments and patch management, as Kaseya released updates to address this specific flaw. Network monitoring should be enhanced to detect unusual database access patterns and unauthorized SQL query execution attempts. Security controls should include disabling unnecessary web services, implementing web application firewalls, and establishing proper network access controls to limit exposure of vulnerable endpoints. Additionally, organizations should conduct regular penetration testing to identify similar authentication bypass vulnerabilities and ensure that all database interfaces properly enforce authentication requirements. The remediation approach should follow security frameworks such as NIST SP 800-53 controls for access control and system and information integrity to prevent similar vulnerabilities from reoccurring.