Security News > 2021 > July > Researchers warn of unpatched Kaseya Unitrends backup vulnerabilities
Security researchers warn of three new zero-day vulnerabilities in the Kaseya Unitrends service and advise users not to expose the service to the Internet.
Kaseya Unitrends is a cloud-based enterprise backup and disaster recovery solution that is offered as a stand-alone solution or as an add-on for the Kaseya VSA remote management platform.
Last week, the Dutch Institute for Vulnerability Disclosure issued a TLP:AMBER advisory about three unpatched vulnerabilities in the Kaseya Unitrends backup product.
Yesterday, DIVD released a public advisory warning that zero-day vulnerabilities have been discovered in Kaseya Unitrends versions earlier than 10.5.2 and to not expose the service to the Internet.
The vulnerabilities affecting the Kaseya Unitrends backup service include a mixture of authenticated remote code execution, authenticated privilege escalation, and unauthenticated remote code execution on the client side.
Threat actors would already need to have breached a customer network to exploit the unauthenticated client RCE. DIVD discovered the vulnerabilities on July 2nd, 2021, and disclosed them to Kaseya on July 3rd. On July 14th, DIVD began scanning the Internet for exposed Kaseya Unitrends instances to identify vulnerable systems.