DIVD discloses three new unpatched Kaseya Unitrends zero-days

Experts found three new zero-day flaws in the Kaseya Unitrends service and warn users to avoid exposing the service to the Internet.

Security researchers warn of three new zero-day vulnerabilities in the Kaseya Unitrends service. The vulnerabilities include remote code execution and authenticated privilege escalation on the client-side.

Kaseya Unitrends is a cloud-based enterprise solution that provides affordable, low-maintenance data protection offering to complement existing client backup and recovery solutions.

Last week, experts from the Dutch Institute for Vulnerability Disclosure (DIVD) disclosed three new vulnerabilities in the Unitrends backup product that have yet to be addressed.

DIVD Chairman Victor Gevers told BleepingComputer that the advisory was originally shared with 68 government CERTs under a coordinated disclosure, but became public after one of them shared it with an organization’s service desk operating in the Financial Services.

An employee published the alert on an online analyzing platform.

According to the DIVD public advisory, the zero-day vulnerabilities impact Kaseya Unitrends versions prior 10.5.2.

The advisory recommends customers using the flawed solution to avoid exposing the service online running on default ports.

“A DIVD researcher has identified several vulnerabilities in the Kaseya Unitrends backup product version < 10.5.2.” reads the advisory. “Do not expose this service or the clients (running default on ports 80, 443, 1743, 1745) directly to the internet until Kaseya has patched these vulnerabilities,” reads DIVD’s advisory.

DIVD discovered the flaws on July 2nd, 2021, and reported them to the software vendor on July 3rd.

Dutch Institute for Vulnerability Disclosure (DIVD) experts are performing a daily scan to detect vulnerable Kaseya Unitrends servers and notify the owners directly or via Gov-CERTs and CSIRTs, and other trusted channels.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, zero-days)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.