CVE-2017-18362: Critical SQL Injection in ConnectWise ManagedITSync Integration

A critical SQL injection vulnerability (CVE-2017-18362) in ConnectWise’s ManagedITSync integration exposed Kaseya VSA servers to unauthenticated remote attacks. Rated 9.8 on the CVSS v3.1 scale, this flaw allowed attackers to execute arbitrary SQL commands through the ManagedIT.asmx web interface, leading to full database compromise and ransomware deployment¹.

Executive Summary for Security Leadership

The vulnerability affected ManagedITSync, a middleware component designed to synchronize data between ConnectWise Manage PSA and Kaseya VSA RMM systems. Attackers could exploit this flaw without authentication, making it particularly dangerous for organizations using these platforms for IT service management. The exploit was weaponized in ransomware campaigns as early as February 2019, with GandCrab being a notable payload².

CVSS 9.8 (CRITICAL): Network-based attack vector with no authentication required
Impact: Full database access, remote code execution, ransomware propagation
Affected Versions: All ManagedITSync releases up to and including 2017
Mitigation: Patch to post-2017 versions or isolate vulnerable systems

Technical Analysis

The vulnerability stemmed from improper input validation in the SOAP-based web service endpoint ManagedIT.asmx. Attackers could craft malicious SQL queries through exposed parameters, bypassing authentication checks. Successful exploitation granted full read/write access to the Kaseya VSA database, which typically contains credentials, endpoint configurations, and remote execution capabilities³.

Public exploit code available on GitHub demonstrates how attackers could chain this vulnerability to achieve remote code execution. The kbni/owlky proof-of-concept shows direct SQL command injection leading to Windows command execution via xp_cmdshell, a common post-exploitation technique⁴.

Operational Impact

Organizations using vulnerable versions faced three primary risks: data exfiltration through direct database access, system compromise via arbitrary command execution, and ransomware deployment across managed endpoints. The integration’s privileged position in the IT management stack meant a single exploit could affect all connected systems.

Check Point’s advisory (CPAI-2017-1239) confirmed active exploitation in the wild, with attackers using the vulnerability as an initial access vector for later-stage payloads. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities Catalog in May 2022, mandating federal agencies to remediate it by June 2022⁵.

Remediation Guidance

For organizations still running affected systems, immediate action is required:

Upgrade to patched versions of ManagedITSync where available
Implement network access controls to restrict traffic to ManagedIT.asmx
Monitor for unusual database queries or unexpected process execution
Conduct forensic analysis if compromise is suspected

For end-of-life systems that cannot be patched, complete isolation from production networks is the only secure option. The vendor has not released patches for unsupported versions, leaving system hardening as the sole mitigation path.

Conclusion

CVE-2017-18362 represents a critical risk to organizations using ConnectWise and Kaseya integrations. Its inclusion in CISA’s KEV catalog and active exploitation in ransomware campaigns underscore the importance of prompt remediation. While the vulnerability was disclosed in 2017, its impact continues to affect unpatched systems, demonstrating the long tail of security risks in enterprise software.

Security teams should review their asset inventories for any remaining vulnerable instances and verify that compensating controls are in place. The availability of public exploit code makes this vulnerability particularly attractive to attackers, requiring vigilant monitoring even after mitigation.