LiveActive security incident?Get immediate response
CVE Record

CVE-2018-20753: Kaseya VSA RMM before R9.3 9.3.0.35, R9.4 before 9.4.0.36, and R9.5 before 9.5.0.5 allows unprivileged remo...

Kaseya VSA RMM before R9.3 9.3.0.35, R9.4 before 9.4.0.36, and R9.5 before 9.5.0.5 allows unprivileged remote attackers to execute PowerShell payloads on all managed devices. In January 2018, attackers actively exploited this vulnerability in the wild.

CriticalCVSS 9.8Known exploitedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

This Kaseya VSA RMM flaw let unauthenticated remote attackers trigger PowerShell execution across managed devices. For executives, the key risk is centralized blast radius: one vulnerable management server could affect many downstream endpoints. The source bundle and CISA KEV indicate real-world exploitation occurred.

Executive priority

Treat as urgent if any affected Kaseya VSA instance remains in service or historical exposure is uncertain. The management-platform blast radius and confirmed exploitation justify executive tracking until versions, exposure, and endpoint review are complete.

Technical view

CVE-2018-20753 affects Kaseya VSA RMM before R9.3 9.3.0.35, R9.4 before 9.4.0.36, and R9.5 before 9.5.0.5. It is network-exploitable without privileges or user interaction and can execute PowerShell payloads on managed devices, with CVSS 9.8 critical impact.

Likely exposure

Organizations are exposed if they ran affected Kaseya VSA RMM versions, especially where attackers could reach the VSA service. Risk extends to devices managed by that VSA instance, not only the server itself.

Exploitation context

The source bundle states attackers actively exploited this vulnerability in January 2018, and CISA lists CVE-2018-20753 in its Known Exploited Vulnerabilities catalog. Huntress is cited for incident analysis involving a mining payload.

Researcher notes

The public bundle does not include root-cause details or a full vendor patch procedure. Analysis should stay anchored to version validation, KEV status, historical exploitation evidence, and endpoint telemetry review for unauthorized PowerShell activity.

Mitigation direction

  • Upgrade affected Kaseya VSA RMM versions to the fixed releases or later.
  • Review Kaseya’s advisory for version-specific remediation guidance.
  • Restrict access to VSA management interfaces where operationally possible.
  • Investigate managed endpoints for unauthorized PowerShell execution around exposure windows.
  • Prioritize remediation under KEV-driven vulnerability management processes.

Validation and detection

  • Inventory all Kaseya VSA RMM instances and record exact versions.
  • Confirm no instance runs before R9.3 9.3.0.35, R9.4 9.4.0.36, or R9.5 9.5.0.5.
  • Check whether VSA interfaces were reachable by untrusted networks.
  • Review endpoint telemetry for unexpected PowerShell launched via management workflows.
  • Assess whether any managed devices show signs matching the cited incident analysis.
Prepared
Confidence
high
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2018-20753 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
9.8 (3.1)
Known Exploited
Yes
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
4Source links

CISA KEV status

Status
Known exploited
Source
CISA / ADP
Date added
Not provided

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
9.8CVSS 3.1CriticalCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H3.95.9Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

9.8Critical
CVSS 3.1 vector shape for CVE-2018-20753Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.