CVE-2015-6922

CRITICAL

Kaseya VSA <7.0.0.33, <8.0.0.23, <9.0.0.19, <9.1.0.9 - Unauthenticated RCE via File Write

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2015-6922. PoCs published by Metasploit, Pedro Ribeiro, including Metasploit module auxiliary/admin/http/kaseya_master_admin.

AI-analyzed exploit summary This Metasploit module exploits an arbitrary file upload vulnerability in Kaseya VSA (CVE-2015-6922) by uploading an ASP payload to a guessed directory path, leading to remote code execution with IUSR privileges.

Description

Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.33, 8.x before 8.0.0.23, 9.0 before 9.0.0.19, and 9.1 before 9.1.0.9 does not properly require authentication, which allows remote attackers to bypass authentication and (1) add an administrative account via crafted request to LocalAuth/setAccount.aspx or (2) write to and execute arbitrary files via a full pathname in the PathData parameter to ConfigTab/uploader.aspx.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/38401

This Metasploit module exploits an arbitrary file upload vulnerability in Kaseya VSA (CVE-2015-6922) by uploading an ASP payload to a guessed directory path, leading to remote code execution with IUSR privileges.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kaseya VSA versions 7 to 9.1
No auth needed
Prerequisites: Network access to the Kaseya VSA server · The target must be running a vulnerable version of Kaseya VSA
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Pedro Ribeiro · textwebappsasp
https://www.exploit-db.com/exploits/38351

This exploit demonstrates multiple vulnerabilities in Kaseya VSA, including unauthenticated privilege escalation and remote code execution via file upload with directory traversal. It includes a Ruby script for authenticated arbitrary file upload (CVE-2015-6589) and references Metasploit modules for unauthenticated exploits (CVE-2015-6922).

Classification
Working Poc 100%
Attack Type
Rce | Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Kaseya VSA versions 7.0.0.0-7.0.0.32, 8.0.0.0-8.0.0.22, 9.0.0.0-9.0.0.18, 9.1.0.0-9.1.0.8
No auth needed
Prerequisites: Network access to the Kaseya VSA server · For authenticated exploit: valid credentials
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/kaseya_master_admin.rb

This Metasploit module exploits an authentication bypass in Kaseya VSA (CVE-2015-6922) to create a Master Administrator account by abusing the `setAccount.aspx` page, which is improperly restricted to localhost. It automates the process of extracting a session value and submitting a crafted POST request to create the account.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Kaseya VSA versions 7.0.0.17, 8.0.0.10, and 9.0.0.3
No auth needed
Prerequisites: Network access to the Kaseya VSA web interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/kaseya_uploader.rb

This Metasploit module exploits an arbitrary file upload vulnerability in Kaseya VSA (CVE-2015-6922) to achieve remote code execution. It uploads an ASP payload to a guessed directory path and triggers execution via HTTP request.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Kaseya VSA versions 7 to 9.1
No auth needed
Prerequisites: Network access to the Kaseya VSA server · The uploader.aspx endpoint must be accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory, VDB Entry x_refsource_misc
http://www.zerodayinitiative.com/advisories/ZDI-15-448
Third Party Advisory, VDB Entry x_refsource_misc
http://www.zerodayinitiative.com/advisories/ZDI-15-449
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/38351/
Broken Link, Vendor Advisory x_refsource_misc
https://helpdesk.kaseya.com/entries/96164487--Kaseya-Security-Advisory

Scores

CVSS v3 9.8
EPSS 0.7780
EPSS Percentile 99.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-287
Status published
Products (1)
kaseya/virtual_system_administrator 7.0.0.0 - 7.0.0.33
Published Feb 17, 2020
Tracked Since Feb 18, 2026