CVE-2015-6922: 
Kaseya VSA Server vulnerability analysis and mitigation

Kaseya Virtual System Administrator (VSA) versions 7.x before 7.0.0.33, 8.x before 8.0.0.23, 9.0 before 9.0.0.19, and 9.1 before 9.1.0.9 contained a critical authentication bypass vulnerability identified as CVE-2015-6922. The vulnerability was discovered by Pedro Ribeiro of Agile Information Security and was disclosed on September 23, 2015. The affected software is an IT management platform that allows organizations to control thousands of computers and mobile devices (ZDI Advisory).

The vulnerability exists due to improper authentication enforcement in two key components: the forwarding service's handling of the setAccount.aspx page and the uploader.aspx page. The vulnerability has a CVSS v3.1 Base Score of 9.8 (CRITICAL) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating remote exploitation with no authentication required (NVD). The flaw specifically allows attackers to bypass authentication controls and either add an administrative account via crafted requests to LocalAuth/setAccount.aspx or write to and execute arbitrary files via the PathData parameter in ConfigTab/uploader.aspx (ZDI Advisory).

The vulnerability allows remote attackers to execute arbitrary code on vulnerable installations without requiring authentication. Successful exploitation enables attackers to become 'Master Admin' in the application and execute arbitrary code on all managed devices. Given that Kaseya VSA is used to manage thousands of computers and mobile devices, compromising the VSA server effectively means compromising the entire organization (ZDI Advisory).

Kaseya released patches to address this vulnerability. Organizations running affected versions should upgrade to the following patched versions: V7 – Install patch 7.0.0.33, R8 – Install patch 8.0.0.23, R9 – Install patch 9.0.0.19, or R9.1 – Install patch 9.1.0.9 (ZDI Advisory).