CVE-2017-18362
CVE-2017-18362 is a critical-severity vulnerability in Connectwise Manageditsync with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-05-24). The underlying weakness is classified as CWE-89.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 7.5
- EPSS exploit prediction: 87% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-05-24)
- EU (EUVD) id: EUVD-2017-9480
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-05-24)
- Weakness: CWE-89
- Affected product: Connectwise Manageditsync
- Published:
- Last modified:
Description
ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database. In February 2019, attackers have actively exploited this in the wild to download and execute ransomware payloads on all endpoints managed by the VSA server. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run arbitrary SQL queries, both read and write, without authentication.
CVE-2017-18362: Unauthenticated SQL Injection in ConnectWise ManagedITSync for Kaseya VSA
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2017-18362 |
| CWE | CWE-89 (SQL Injection) |
| CVSS v3 | 9.8 (CRITICAL) |
| CVSS v2 | 7.5 (HIGH) |
| EPSS | 0.86706 (99.72nd percentile) |
| KEV | Yes (CISA KEV, 2022-05-24) |
| Affected Product | ConnectWise ManagedITSync for Kaseya VSA |
Summary
ConnectWise ManagedITSync integration through 2017 for Kaseya VSA contains an unauthenticated SQL injection vulnerability in the ManagedIT.asmx web service. Any remote attacker with network access to the page can execute arbitrary SQL queries against the Kaseya VSA database without authentication, granting full read and write capabilities. This vulnerability was actively exploited in the wild in February 2019 to deploy ransomware across all endpoints managed by compromised VSA servers.
Background
Kaseya VSA is a remote monitoring and management (RMM) platform widely used by managed service providers (MSPs) to administer client endpoints. ConnectWise ManagedITSync was an integration component designed to synchronize data between ConnectWise and Kaseya VSA environments. The integration exposed a web service endpoint (ManagedIT.asmx) that interacted directly with the VSA backend database. Due to insufficient input validation and lack of authentication on this endpoint, it became a critical attack vector.
Root Cause
The vulnerability is classified as CWE-89: SQL Injection. The ManagedIT.asmx page accepted user-supplied input and incorporated it directly into database queries without proper sanitization, parameterization, or authentication checks. This design flaw allowed an unauthenticated remote attacker to inject arbitrary SQL commands, effectively bypassing all access controls and interacting with the database as a privileged user. The lack of any authentication requirement on a page with direct database access represents a fundamental architectural weakness.
Impact
- CVSS v3.1 Score: 9.8 (CRITICAL) — Network attackable, low complexity, no privileges required, no user interaction.
- Confidentiality Impact: HIGH — Full database read access exposes sensitive customer data, credentials, and configuration details.
- Integrity Impact: HIGH — Attackers can modify database records, potentially altering endpoint policies or adding malicious accounts.
- Availability Impact: HIGH — Database manipulation or ransomware payload deployment can render managed endpoints unusable.
- CVSS v2 Score: 7.5 — Confirms network-accessible, unauthenticated attack with partial impacts across the CIA triad.
Exploitation Walkthrough
Defensive Context Only — No weaponized instructions are provided.
From a defender's perspective, exploitation typically follows this pattern:
- Reconnaissance: The attacker identifies an internet-facing Kaseya VSA instance with the
ManagedIT.asmxendpoint exposed.- Injection: The attacker submits crafted requests to the endpoint containing SQL syntax that the backend database executes without validation.
- Enumeration: The attacker queries database tables to extract endpoint lists, agent credentials, or administrative accounts.
- Action on Objectives: With full database access, the attacker may deploy remote commands to all managed endpoints — in confirmed incidents, this was used to stage and execute ransomware payloads.
Ethics Notice: This description is intentionally high-level and generic. It is intended to aid defenders in understanding attack flow for detection and mitigation purposes, not to enable unauthorized access.
Affected and Patched Versions
- Affected: ConnectWise ManagedITSync through 2017 for Kaseya VSA
- CPE:
cpe:2.3:a:connectwise:manageditsync:*:*:*:*:*:kaseya_vsa:*:* - Patched Version: Specific patch information is not available in the disclosed data. Administrators should consult Kaseya/ConnectWise documentation or remove the integration if unmaintained.
Remediation
- Immediate: Restrict or disable access to the
ManagedIT.asmxendpoint if it is no longer required. Do not expose it to untrusted networks. - Upgrade: Apply any vendor-supplied patches or updates for ConnectWise ManagedITSync. If the integration is end-of-life, decommission it.
- Compensating Controls:
- Implement network segmentation to ensure RMM interfaces are not internet-facing.
- Enforce IP allowlisting for any administrative or integration endpoints.
- Apply principle of least privilege to database accounts used by integration components.
- Monitor for unauthenticated requests to
.asmxendpoints within the VSA environment.
Detection
- Monitor web server logs for unauthenticated HTTP requests to
/ManagedIT.asmxor similar integration endpoints. - Alert on SQL error messages or anomalous query patterns originating from the VSA application layer.
- Track for unauthorized database schema enumeration or bulk data exfiltration events.
- Correlate endpoint behavior: simultaneous ransomware-like file activity across all managed agents may indicate mass exploitation of this vulnerability.
Assessment
- EPSS Score: 0.86706 with a 99.72nd percentile indicates an extremely high probability of active exploitation in the wild.
- KEV Status: Added to the CISA Known Exploited Vulnerabilities catalog on 2022-05-24, and the EU Exploited Vulnerabilities Database confirms in-the-wild exploitation since the same date.
- Historical Context: February 2019 saw confirmed ransomware campaigns leveraging this flaw, demonstrating its real-world destructive impact.
- Lessons: (1) Integration endpoints must never be exposed without robust authentication and input validation. (2) RMM platforms are high-value targets; any unauthenticated path to database control should be treated as a critical architectural defect.
References
Frequently asked questions
- What is CVE-2017-18362?
- ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database. In February 2019, attackers have actively exploited this in the wild to download and execute ransomware payloads on all endpoints managed by the VSA server. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run arbitrary SQL queries, both read and write, without authentication.
- How severe is CVE-2017-18362?
- CVE-2017-18362 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2017-18362 being actively exploited?
- Yes. CVE-2017-18362 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-05-24, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2017-18362?
- CVE-2017-18362 affects Connectwise Manageditsync. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2017-18362?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2017-18362 have an EU (EUVD) identifier?
- Yes. CVE-2017-18362 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2017-9480. It is also flagged as exploited in the EUVD (since 2022-05-24).
- When was CVE-2017-18362 published?
- CVE-2017-18362 was published on 2019-02-05 and last updated on 2026-06-17.
References
- http://archive.today/rdkeQ
- https://github.com/kbni/owlky
- https://webcache.googleusercontent.com/search?q=cache:ZEo8ZRF_iEIJ:https://helpdesk.kaseya.com/hc/en-gb/articles/360022495572-Connectwise-API-Vulnerability+
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-18362
Affected products (1)
- cpe:2.3:a:connectwise:manageditsync:*:*:*:*:*:kaseya_vsa:*:*
Other CWE-89 (SQL Injection) vulnerabilities
- CVE-2026-54350 — Critical (CVSS 10.0): Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase…
- CVE-2026-8054 — Critical (CVSS 10.0): Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints…
- CVE-2026-42287 — Critical (CVSS 10.0): Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and…
- CVE-2026-3325 — Critical (CVSS 10.0): SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the…
- CVE-2025-10878 — Critical (CVSS 10.0): A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26.…
- CVE-2025-57792 — Critical (CVSS 10.0): Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of…