CVE-2017-18362 — Kaseya Virtual System/Server Administrator (VSA)

known ransomware use

Kaseya VSA SQL Injection Vulnerability

Added to KEV

2022-05-24

Federal due date

2022-06-14

Vendor

Kaseya

Product

Virtual System/Server Administrator (VSA)

EPSS

99.2th percentile (score 0.811, as of 2026-06-08)

NVD CVSS v3.1

—

Ransomware use

Known

Upstream

https://nvd.nist.gov/vuln/detail/CVE-2017-18362

CISA short description

ConnectWise ManagedITSync integration for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database.

Required action

The impacted product is end-of-life and should be disconnected if still in use.

EPSS percentile is the FIRST.org exploit-probability ranking as of the date noted above; it moves daily. CVSS reflects NVD's analysis at time of publication.