CVE-2019-14510 in VSA RMM
Summary
by MITRE
An issue was discovered in Kaseya VSA RMM through 9.5.0.22. When using the default configuration, the LAN Cache feature creates a local account FSAdminxxxxxxxxx (e.g., FSAdmin123456789) on the server that hosts the LAN Cache and all clients that are assigned to a LAN Cache. This account is placed into the local Administrators group of all clients assigned to the LAN Cache. When the assigned client is a Domain Controller, the FSAdminxxxxxxxxx account is created as a domain account and automatically added as a member of the domain BUILTIN\Administrators group. Using the well known Pass-the-Hash techniques, an attacker can use the same FSAdminxxxxxxxxx hash from any LAN Cache client and pass this to a Domain Controller, providing administrative rights to the attacker on any Domain Controller. (Local account Pass-the-Hash mitigations do not protect domain accounts.)
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/08/2024
The vulnerability identified in CVE-2019-14510 represents a critical privilege escalation flaw within Kaseya VSA Remote Monitoring and Management software version 9.5.0.22 and earlier. This issue stems from the implementation of the LAN Cache feature, which creates a default configuration that establishes persistent administrative access across networked systems. The vulnerability manifests through the automatic creation of local accounts named FSAdmin followed by a random numeric string on both server hosts and client machines assigned to the LAN Cache. These accounts are systematically elevated to membership within local administrators groups of all associated clients, creating a persistent backdoor mechanism that extends beyond individual system boundaries.
The technical exploitation of this vulnerability leverages well-established pass-the-hash attack methodologies that bypass traditional authentication mechanisms by reusing captured credential hashes. The FSAdmin accounts are configured with predictable naming conventions and consistent hashing mechanisms that enable attackers to capture these credentials from any client within the LAN Cache scope. When a client assigned to a LAN Cache is configured as a Domain Controller, the vulnerability becomes particularly dangerous as the local FSAdmin account is automatically converted to a domain account and granted membership in the domain BUILTIN\Administrators group. This conversion transforms the local account into a domain-level administrative credential that can be leveraged across the entire domain infrastructure, effectively providing attackers with comprehensive domain-wide administrative privileges.
The operational impact of this vulnerability extends far beyond simple privilege escalation, creating a persistent threat vector that can compromise entire network infrastructures. Organizations using Kaseya VSA with default configurations face immediate risk of complete domain compromise, as the FSAdmin accounts provide administrative access to all systems within the LAN Cache scope. The vulnerability's persistence is particularly concerning since these accounts are created automatically during normal operation and remain active until manually removed, providing attackers with long-term access windows that are difficult to detect through routine security monitoring. The fact that local account pass-the-hash mitigations are ineffective against domain accounts further compounds the risk, as organizations implementing standard security controls may believe they are protected when they are not.
Security professionals should recognize this vulnerability as a classic example of privilege creep and credential management failure, aligning with CWE-259 and CWE-798 categories that address weak password handling and hard-coded credentials. The attack pattern described corresponds to ATT&CK technique T1078.001 for valid accounts and T1550.002 for pass-the-hash, demonstrating how default configurations can create attack vectors that bypass standard security controls. Organizations should immediately implement mitigations including disabling the LAN Cache feature when not required, manually removing the FSAdmin accounts from all systems, and implementing strict monitoring for account creation and administrative privilege changes. Additionally, network segmentation and privileged access management solutions should be deployed to limit the scope of potential compromise, while regular security audits should verify that no unauthorized administrative accounts exist within the environment. The vulnerability highlights the critical importance of reviewing default configurations and implementing least-privilege principles in remote management solutions to prevent similar issues from compromising enterprise security postures.