A security researcher demonstrated zero-day vulnerabilities in MSP platforms of Kaseya and ManageEngine, according to a report.

The researcher, whose name was withheld, presented the findings at the Kiwicon security conference in Wellington, New Zealand, according to SC Magazine in Australia.

In the demonstration, the researcher created an administrator account on Kaseya by injecting malicious script into a registry key used by the Kaseya user agent, according to SC Magazine. The script was accepted due to a vulnerability in which the MSP failed to properly validate its database, according to the report.

[Related: When Disaster Strikes: Let These VARs Tell You What Can Happen]

The researcher's demonstration of a ManageEngine vulnerability, which reportedly spoofed agent registration in version six of the MSPCentre Plus agent, failed during the conference, but the researcher said the exploit still worked, according to the report. The researcher also cited a previous vulnerability in N-able Technologies' N-central platform that has since been patched.

A Kaseya spokesperson said the company was alerted to the vulnerability through the New Zealand presentation and has successfully reproduced the attack. The company will release a hotfix to all customers Monday afternoon, she added.

Kaseya also has been unsuccessful in contacting the presenter, who goes by the name "Cartel."

"Kaseya always welcomes hearing directly from anyone who thinks they have found a hole, or have shown an exploit (as in this case), or is just worried about security of our system. We take this extremely seriously and drop everything to re-mediate the problem as soon as we hear of it. Typically we get a patch out within a day or two as is the case here," the spokesperson wrote in an email.

The report says the research previously found a vulnerability in N-central, which is the MSP platform for N-able Technologies, but an N-able spokesperson said the report may have an incorrect reference to N-able because N-central doesn't have a "rescue me" option.

"At N-able, we take any security-related issue very seriously, and work hard to ensure that any security-related issues brought to our attention are resolved as quickly as possible. N-able does not have a 'Rescue Me' option on the N-central platform, and to our knowledge, nobody on our team has been in communication with SC Magazine with regard to this story. As such, we believe that our name was incorrectly referenced in this story," the spokesperson wrote in an email.

Executives from ManageEngine could not be reached for immediate comment.

NEXT: Partner Seeks Clarification,

Ted Grandpre, field service manager at True North ITG, a Mill Creek, Wash.-based MSP and Kaseya partner, said the vulnerability is something he wants Kaseya to investigate if it's true.

"It's a pretty big deal if that's the case," Grandpre said, adding that vulnerabilities are something that are always a concern but haven't been a big issue in Kaseya

"You can only build so many doors. Eventually someone will break down a door to get in. There's a lot of money in it to figure out how to break things," he said.

Grandpre sent an email to his rep at Kaseya asking for clarification on the vulnerability. "Overall, we've been really happy with them. They're really receptive to input, criticism, ideas. Their support's been great," he said.

Grandpre sent an email to his rep at Kaseya asking for clarification on the vulnerability. "Overall, we've been really happy with them. They're really receptive to input, criticism, ideas. Their support's been great," he said.

PUBLISHED NOV. 19, 2012