CVE-2021-43037

Published: Dec 6, 2021Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The Unitrends Windows agent was vulnerable to DLL injection and binary planting due to insecure default permissions. This allowed privilege escalation from an unprivileged user to SYSTEM.

Affected (1)

Products: Kaseya: Unitrends Backup

1 product

Unitrends Backup

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Kaseya Unitrends Backup	From 10.0 to 10.5.5

Related CWEs

Uncontrolled Search Path Element

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

References (6)

https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961

Source: cve@mitre.org

Vendor Advisory

https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-appliance-part-1

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-appliance-part-2

Source: cve@mitre.org

ExploitThird Party Advisory

https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-appliance-part-1

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-appliance-part-2

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.