CVE-2015-6589: 
Kaseya VSA Server vulnerability analysis and mitigation

Kaseya Virtual System Administrator (VSA) versions 7.0.0.0 through 7.0.0.32, 8.0.0.0 through 8.0.0.22, 9.0.0.0 through 9.0.0.18, and 9.1.0.0 through 9.1.0.8 contain a directory traversal vulnerability that allows remote authenticated users to write to and execute arbitrary files. The vulnerability exists in the json.ashx HTTP handler, which does not properly restrict file paths (ZDI Advisory).

The vulnerability exists within the json.ashx HTTP handler, which fails to properly restrict destination file paths. Authenticated attackers can leverage this vulnerability to upload and execute arbitrary code on the server under the context of IIS. The vulnerability has been assigned a CVSS v2.0 base score of 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) indicating network vector, low complexity, and requires authentication (ZDI Advisory).

Successful exploitation allows authenticated attackers to upload and execute arbitrary code on vulnerable Kaseya VSA servers with IIS privileges. This could lead to complete compromise of the affected system and potentially the entire managed IT infrastructure, as Kaseya VSA is used to control thousands of computers and mobile devices in an organization (Exploit DB).

Kaseya has released patches to address this vulnerability. Organizations should upgrade to the following versions: V7 - Install patch 7.0.0.33, R8 - Install patch 8.0.0.23, R9 - Install patch 9.0.0.19, R9.1 - Install patch 9.1.0.9 (ZDI Advisory).