Kaseya: >> Unitrends Backup >> 7.4.0 Security Vulnerabilities
Kaseya Unitrends Client/Agent through 10.5,5 allows remote attackers to execute arbitrary code.
CVSS Score
9.8
EPSS Score
0.025
Published
2022-04-15
It was discovered that the Unitrends Backup (UB) before 10.1.0 user interface was exposed to an authentication bypass, which then could allow an unauthenticated user to inject arbitrary commands into its /api/hosts parameters using backquotes.
CVSS Score
9.8
EPSS Score
0.676
Published
2018-03-14
It was discovered that the bpserverd proprietary protocol in Unitrends Backup (UB) before 10.0.0, as invoked through xinetd, has an issue in which its authentication can be bypassed. A remote attacker could use this issue to execute arbitrary commands with root privilege on the target system.
CVSS Score
9.8
EPSS Score
0.749
Published
2017-08-07
It was discovered that the api/storage web interface in Unitrends Backup (UB) before 10.0.0 has an issue in which one of its input parameters was not validated. A remote attacker could use this flaw to bypass authentication and execute arbitrary commands with root privilege on the target system.
CVSS Score
9.8
EPSS Score
0.71
Published
2017-08-07
It was discovered that an issue in the session logic in Unitrends Backup (UB) before 10.0.0 allowed using the LOGDIR environment variable during a web session to elevate an existing low-privilege user to root privileges. A remote attacker with existing low-privilege credentials could then execute arbitrary commands with root privileges.
CVSS Score
8.8
EPSS Score
0.135
Published
2017-08-07