Description
Datto Backup Agent 1.0.6.0 and earlier does not authenticate incoming connections. This allows an attacker to impersonate a Datto Backup Appliance to "pair" with the agent and issue requests to this agent, if the attacker can reach the agent on TCP port 25566 or 25568, and send unspecified "specific information" by which the agent identifies a network device that is "appearing to be a valid Datto."
References (1)
Core 1
Core References
Mitigation, Patch, Vendor Advisory x_refsource_confirm
https://www.datto.com/partner-security-update-nov2017
Scores
CVSS v3
5.3
EPSS
0.0044
EPSS Percentile
35.3%
Attack Vector
ADJACENT_NETWORK
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (1)
datto/backup_agent
< 1.0.6.0
Published
Nov 09, 2017
Tracked Since
Feb 18, 2026