CVE-2013-10034

UNKNOWN 0.0

Kaseya < 6.3.0.2 uploadImage.asp Arbitrary File Upload RCE

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

An unrestricted file upload vulnerability exists in Kaseya KServer versions prior to 6.3.0.2. The uploadImage.asp endpoint allows unauthenticated users to upload files to arbitrary paths via a crafted filename parameter in a multipart/form-data POST request. Due to the lack of authentication and input sanitation, an attacker can upload a file with an .asp extension to a web-accessible directory, which can then be invoked to execute arbitrary code with the privileges of the IUSR account. The vulnerability enables remote code execution without prior authentication and was resolved in version 6.3.0.2 by removing the vulnerable uploadImage.asp endpoint.

CWE	CWE-434
Vendor	kaseya
Product	kserver
Published	Jul 31, 2025
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for kaseya kserver

Be the first to know when new unknown vulnerabilities affecting kaseya kserver are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Kaseya / KServer

* < 6.3.0.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/kaseya_uploadimage_file_upload.rb web.archive.org: https://web.archive.org/web/20150210113922/http://security-assessment.com/files/documents/advisory/Kaseya%20File%20Upload.pdf exploit-db.com: https://www.exploit-db.com/exploits/29675 vulncheck.com: https://www.vulncheck.com/advisories/kaseya-arbitrary-file-upload-rce

Credits

Thomas Hibbert of Security-Assessment.com