CVE-2018-20753 - Kaseya VSA - Command Injection 💰

[princechaddha]

Description:

Kaseya VSA RMM before R9.3 9.3.0.35, R9.4 before 9.4.0.36, and R9.5 before 9.5.0.5 contain a command injection caused by insufficient input validation in PowerShell execution, letting unprivileged remote attackers execute arbitrary PowerShell payloads on all managed devices, exploit requires network access to the system.

Severity: Critical

POC:

• https://blog.huntresslabs.com/deep-dive-kaseya-vsa-mining-payload-c0ac839a0e88

KEV: True

Shodan Query: http.favicon.hash:-1445519482

Acceptance Criteria: The template must include a complete POC and should not rely solely on version-based detection. Contributors are required to provide debug data(-debug) along with the template to help the triage team with validation or can also share a vulnerable environment like docker file.

Rewards will only be given once the template is fully validated by the team. Templates that are incomplete or invalid will not be accepted. Avoid adding code templates for CVEs that can be achieved using HTTP, TCP, or JavaScript. Such templates are blocked by default and won’t produce results, so we prioritize creating templates with other protocols unless exceptions are made.

You can check the FAQ for the Nuclei Templates Community Rewards Program here.

[princechaddha]

/bounty $100

[algora-pbc]

💎 $100 bounty • Erdogan Kervanli

💎 $100 bounty • ProjectDiscovery Bounty Available

How to Participate:

• Claim attempt: Comment /attempt #14535 on this issue. Multiple participants can attempt, but only the first to submit a complete, mergeable solution will receive the reward.
• Work on the issue: Follow the Contribution Guidelines and ensure your solution fully addresses the issue requirements.
• Submit your PR: Open a pull request to projectdiscovery/nuclei-templates and include /claim #14535 in the PR body.
• Receive payment: Upon successful merge, you will receive 100% of the bounty through Algora within 2-5 days.

Thank you for contributing to projectdiscovery/nuclei-templates and helping us democratize security!

---

PR Requirements

Your PR must include the following. PRs that don't meet these requirements may not be reviewed and could be closed.

Proposed Changes

Describe the overall picture of your modifications to help maintainers understand the pull request.

Proof

Demonstrate your changes work. Include before/after examples, screenshots, or terminal output showing the fix/feature in action.

Checklist

• PR created against the correct branch (usually dev)
• All checks passed (lint, unit/integration/regression tests)
• Tests added that prove the fix is effective or feature works
• Documentation added (if appropriate)

---

Add a bounty • Share on socials

Attempt	Started (UTC)	Solution	Actions
🟢 @pavithracampus-web	Feb 01, 2026, 02:56:47 PM	#15111	Reward
🟢 @erdogan98	Feb 02, 2026, 05:24:45 PM	#15125	Reward
🟢 @ohmygod20260203	Feb 04, 2026, 01:36:03 AM	#15143	Reward
🟢 @prathammis	Jan 15, 2026, 07:57:11 AM	WIP
🟢 @John6150	Jan 15, 2026, 10:39:43 AM	WIP
🟢 @BotGJ16	Jan 19, 2026, 08:01:43 AM	WIP
🟢 @thewindghost	Dec 23, 2025, 02:01:58 AM	WIP
🟢 @MuhamadJuwandi	Dec 23, 2025, 04:54:59 AM	#14538	Reward
🟢 @Kanchan-19s	Dec 23, 2025, 04:45:16 AM	WIP
🟢 @Pranjal6955	Dec 23, 2025, 06:12:06 AM	WIP
🟢 @user-reg-42	Dec 25, 2025, 03:27:52 PM	#14567	Reward
🟢 @nathan9513-aps	Jan 26, 2026, 02:34:07 PM	WIP
🟢 @relentless-robotics	Jan 30, 2026, 09:09:13 PM	#15099	Reward
🟢 @gyanu2507	Jan 31, 2026, 05:24:53 PM	#15104	Reward

[Kanchan-19s]

/attempt #14535

[MuhamadJuwandi]

/attempt #14535

[Pranjal6955]

/attempt #14535

[user-reg-42]

/attempt #14535

[prathammis]

/attempt #14535

[John6150]

/attempt #14535

[BotGJ16]

/attempt #14535