Endpoint VulnerabilitySecurity Vulnerabilities fixed in Kaseya Server 9.5.7.2994
Description
Credential disclosure, XSS, and 2FA bypass in Kaseya VSA before 9.5.7 allow attackers to harvest Agent_Guid/AgentPassword from KaseyaD.ini, obtain sessionId via dl.asp GET, inject scripts via rcResults.asp/done.asp, and disable MFA by altering client-side flags.
Outbreak Alert
A recent high profile exploit involing Kaseya VSA product was linked to the REvil ransomware. This report summarizes the Fortinet Security Fabric coverage for the REvil ransomware itself. Refer to the separate report for more detail about the Kaseya vulnerability.
View the full Outbreak Alert Report
This report focusses on the Kaseya vulnerability itself -- A separate (dedicated) report is available for the REvil ransomware which exploits this vunlerability. Kaseya VSA product is the victim of a sophisticated cyberattack causing many of its customers to be infected with ransomware. On July 2, the SaaS version was temporarily shutdown, and Kaseya warned all its customers to immediately stop using the on-premise version until a patch is available. Nearly 40 of its MSP customers were reported hacked, who themselves manage hundreds or thousands of businesses underneath. https://www.nbcnews.com/tech/security/ransomware-attack-software-manager-hits-200-companies-rcna1338 Background
Affected Applications
Kaseya Server
Version Updates
| ID | 2262 |
| Created | Jul 06, 2021 |
| Description Updated |
Feb 13, 2026 |
| CVE ID | |
| Tags | REvil Ransomware Kaseya VSA Attack |
| Risk |
|
| Coverage | FortiClient |
| OS | Windows |
| Vendor | Kaseya |
| Patch | manual |
| Application | Kaseya Server |