ConnectWise ManagedITSync - SQLi (CVE-2017-18362)

CVE-2017-18362 is a critical vulnerability in the ConnectWise ManagedITSync integration for Kaseya VSA, allowing unauthenticated attackers to execute arbitrary SQL commands and gain full access to the VSA database remotely. This flaw has been actively exploited in the wild, enabling threat actors to deploy ransomware across all endpoints managed by the affected VSA server. Attackers can leverage this vulnerability to read, modify, or destroy sensitive data, posing a severe risk to organizations using vulnerable versions.

CrowdSec has been tracking this vulnerability and its exploits since 29th of October 2025.

According to CrowdSec data, while opportunistic exploitation dominates, a portion of threat actors trying to exploit CVE-2017-18362 apply basic targeting methods such as port or service detection. This indicates emerging patterns of selective targeting. Telemetry from the CrowdSec network also shows that exploitation activity for CVE-2017-18362 remains steady week-over-week. Attack volumes are consistent with long-term trends, indicating sustained interest from threat actors. CVE-2017-18362 continues to be an active part of the threat landscape and will likely remain this way for the forseeable future.

Attackers exploit this vulnerability by sending requests to the /KaseyaCwWebService/ManagedIT.asmx endpoint, often looking for operations like ExecuteSQLQuery to run arbitrary SQL commands without authentication.