CVE-2015-6589

HIGH

Kaseya VSA <=9.1.0.8 Authenticated Path Traversal & Arbitrary File Write via json.ashx

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2015-6589. PoCs published by Pedro Ribeiro.

AI-analyzed exploit summary This exploit demonstrates multiple vulnerabilities in Kaseya VSA, including unauthenticated privilege escalation and remote code execution via file upload with directory traversal. It includes a Ruby script for authenticated arbitrary file upload (CVE-2015-6589) and references Metasploit modules for unauthenticated exploits (CVE-2015-6922).

Description

Directory traversal vulnerability in Kaseya Virtual System Administrator (VSA) 7.0.0.0 before 7.0.0.33, 8..0.0.0 before 8.0.0.23, 9.0.0.0 before 9.0.0.19, and 9.1.0.0 before 9.1.0.9 allows remote authenticated users to write to and execute arbitrary files due to insufficient restrictions in file paths to json.ashx.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Pedro Ribeiro · textwebappsasp

https://www.exploit-db.com/exploits/38351

View Code ZIP pw:eip

This exploit demonstrates multiple vulnerabilities in Kaseya VSA, including unauthenticated privilege escalation and remote code execution via file upload with directory traversal. It includes a Ruby script for authenticated arbitrary file upload (CVE-2015-6589) and references Metasploit modules for unauthenticated exploits (CVE-2015-6922).

Classification

Working Poc 100%

Attack Type

Rce | Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Kaseya VSA versions 7.0.0.0-7.0.0.32, 8.0.0.0-8.0.0.22, 9.0.0.0-9.0.0.18, 9.1.0.0-9.1.0.8

No auth needed

Prerequisites: Network access to the Kaseya VSA server · For authenticated exploit: valid credentials

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Pedro Ribeiro · rubywebappsasp

https://www.exploit-db.com/exploits/43882

View Code ZIP pw:eip

This Ruby script exploits CVE-2015-6589, an authenticated arbitrary file upload vulnerability in Kaseya VSA versions 7.0.0.0 to 9.1.0.8. It authenticates using a challenge-based password hashing mechanism, then uploads a shell file to a vulnerable endpoint.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Kaseya VSA versions 7.0.0.0 - 9.1.0.8

Auth required

Prerequisites: Valid credentials for the Kaseya VSA instance · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/133782/Kaseya-Virtual-System-Administrator-Code-Execution-Privilege-Escalation.html

Third Party Advisory, VDB Entry x_refsource_misc

http://www.zerodayinitiative.com/advisories/ZDI-15-450

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/38351/

Third Party Advisory, VDB Entry x_refsource_misc

https://www.securityfocus.com/bid/76838

Scores

CVSS v3 8.8

EPSS 0.1358

EPSS Percentile 96.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Products (1)

kaseya/virtual_system_administrator 7.0.0.0 - 7.0.0.33

Published Feb 13, 2020

Tracked Since Feb 18, 2026