/claim #14535

PR Information

Added CVE-2018-20753 - Kaseya VSA Command Injection detection. This template detects vulnerable Kaseya VSA instances using Shodan favicon hash and version extraction to identify unpatched systems.

• References:
  • Issue: #14535
  • https://blog.huntresslabs.com/deep-dive-kaseya-vsa-mining-payload-c0ac839a0e88
  • https://nvd.nist.gov/vuln/detail/CVE-2018-20753

Template validation

• Validated with a host running a vulnerable version and/or configuration (True Positive)
• Validated with a host running a patched version and/or configuration (avoid False Positive)

Additional Details

Detection relies on:

1. Shodan Favicon Hash: http.favicon.hash:-1445519482
2. Server Header check: Server: Kaseya
3. Version Regex Extraction against login.aspx

Note for Reviewers: This PR is stacked on top of PR #14537. Please kindly ignore the CVE-2025-68613.yaml file in the diff/history if present, and focus review on CVE-2018-20753.yaml.