search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Kaseya Virtual System Administrator contains multiple vulnerabilities

Vulnerability Note VU#919604

Original Release Date: 2015-07-13 | Last Revised: 2015-07-13


Kaseya Virtual System Administrator (VSA), versions R9 and possibly earlier, contains arbitrary file download and open redirect vulnerabilities.


CWE-22: Improper Limitation of Pathname to a Restricted Directory ('Path Traversal') - CVE-2015-2862

Kaseya VSA is an IT management platform with a help desk ticketing system. An authenticated attacker can traverse directories and download arbitrary files by submitting a specially crafted HTTP request to the server hosting the VSA software.

CWE-601: URL Redirection to Untrusted Site ('Open Redirect') - CVE-2015-2863

Kaseya VSA, versions V7.x, R8.x and R9.x, contain an open redirect vulnerability. An attacker may be able to leverage users' trust in the domain to induce them to visit a site with malicious content.

The CVSS score below refers to CVE-2015-2862.


A remote, authenticated attacker can download arbitrary files. A remote, unauthenticated attacker may be able to redirect users to arbitrary web sites.


Apply an update

The vendor has released the following patches to address these issues:

    • R9.1: install patch
    • R9.0: install patch
    • R8.0: install patch
    • V7.0: install patch

Vendor Information

Expand all

Kaseya, Inc.

Notified:  April 27, 2015 Updated:  April 27, 2015



Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.


There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector
Base 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Temporal 3.4 E:POC/RL:OF/RC:C
Environmental 2.5 CDP:N/TD:M/CR:ND/IR:ND/AR:ND



Thanks to Pedro Ribeiro ( of Agile Information Security for reporting these vulnerabilities.

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2015-2862, CVE-2015-2863
Date Public: 2015-07-13
Date First Published: 2015-07-13
Date Last Updated: 2015-07-13 17:05 UTC
Document Revision: 13

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.