Security researchers warn of three new zero-day vulnerabilities in the Kaseya Unitrends service. The vulnerabilities include remote code execution and authenticated privilege escalation on the client-side.
Kaseya Unitrends is a cloud-based enterprise solution that provides affordable, low-maintenance data protection offering to complement existing client backup and recovery solutions.
Last week, experts from the Dutch Institute for Vulnerability Disclosure (DIVD) disclosed three new vulnerabilities in the Unitrends backup product that have yet to be addressed.
DIVD Chairman Victor Gevers told BleepingComputer that the advisory was originally shared with 68 government CERTs under a coordinated disclosure, but became public after one of them shared it with an organization’s service desk operating in the Financial Services.
An employee published the alert on an online analyzing platform.
According to the DIVD public advisory, the zero-day vulnerabilities impact Kaseya Unitrends versions prior 10.5.2.
The advisory recommends customers using the flawed solution to avoid exposing the service online running on default ports.
“A DIVD researcher has identified several vulnerabilities in the Kaseya Unitrends backup product version < 10.5.2.” reads the advisory. “Do not expose this service or the clients (running default on ports 80, 443, 1743, 1745) directly to the internet until Kaseya has patched these vulnerabilities,” reads DIVD’s advisory.
DIVD discovered the flaws on July 2nd, 2021, and reported them to the software vendor on July 3rd.
Dutch Institute for Vulnerability Disclosure (DIVD) experts are performing a daily scan to detect vulnerable Kaseya Unitrends servers and notify the owners directly or via Gov-CERTs and CSIRTs, and other trusted channels.
(SecurityAffairs – hacking, zero-days)