CVE-2021-43037

HIGH

Kaseya Unitrends <10.5.5 - Privilege Escalation

Title source: llm

Description

An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The Unitrends Windows agent was vulnerable to DLL injection and binary planting due to insecure default permissions. This allowed privilege escalation from an unprivileged user to SYSTEM.

References (3)

[Vendor Advisory] https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961

[Exploit, Third Party Advisory] https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-appliance-part-1

[Exploit, Third Party Advisory] https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-appliance-part-2

Scores

CVSS v3 7.8

EPSS 0.0005

EPSS Percentile 16.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Classification

CWE

CWE-427

Status published

Affected Products (1)

kaseya/unitrends_backup < 10.5.5

Timeline

Published Dec 06, 2021

Tracked Since Feb 18, 2026