search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Kaseya Virtual System Administrator contains multiple vulnerabilities

Vulnerability Note VU#919604

Original Release Date: 2015-07-13 | Last Revised: 2015-07-13


Kaseya Virtual System Administrator (VSA), versions R9 and possibly earlier, contains arbitrary file download and open redirect vulnerabilities.


CWE-22: Improper Limitation of Pathname to a Restricted Directory ('Path Traversal') - CVE-2015-2862

Kaseya VSA is an IT management platform with a help desk ticketing system. An authenticated attacker can traverse directories and download arbitrary files by submitting a specially crafted HTTP request to the server hosting the VSA software.

CWE-601: URL Redirection to Untrusted Site ('Open Redirect') - CVE-2015-2863

Kaseya VSA, versions V7.x, R8.x and R9.x, contain an open redirect vulnerability. An attacker may be able to leverage users' trust in the domain to induce them to visit a site with malicious content.

The CVSS score below refers to CVE-2015-2862.


A remote, authenticated attacker can download arbitrary files. A remote, unauthenticated attacker may be able to redirect users to arbitrary web sites.


Apply an update

The vendor has released the following patches to address these issues:

    • R9.1: install patch
    • R9.0: install patch
    • R8.0: install patch
    • V7.0: install patch

Vendor Information


Kaseya, Inc. Unknown

Notified:  April 27, 2015 Updated: April 27, 2015



Vendor Statement

We have not received a statement from the vendor.

Vendor References

    CVSS Metrics

    Group Score Vector
    Base 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
    Temporal 3.4 E:POC/RL:OF/RC:C
    Environmental 2.5 CDP:N/TD:M/CR:ND/IR:ND/AR:ND



    Thanks to Pedro Ribeiro ( of Agile Information Security for reporting these vulnerabilities.

    This document was written by Joel Land.

    Other Information

    CVE IDs: CVE-2015-2862, CVE-2015-2863
    Date Public: 2015-07-13
    Date First Published: 2015-07-13
    Date Last Updated: 2015-07-13 17:05 UTC
    Document Revision: 13

    Sponsored by CISA.