Datto
Products
4- 4 CVEs
- 4 CVEs
- 4 CVEs
- 1 CVE
Recent CVEs
9| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-9254 | Cri | 0.64 | 9.8 | 0.01 | Feb 20, 2018 | Datto ALTO and SIRIS devices have a default VNC password. | ||
| CVE-2015-2081 | Cri | 0.64 | 9.8 | 0.03 | Feb 20, 2018 | Datto ALTO and SIRIS devices allow Remote Code Execution via unauthenticated requests to PHP scripts. | ||
| CVE-2017-16674 | Hig | 0.52 | 8.0 | 0.01 | Nov 9, 2017 | Datto Windows Agent allows unauthenticated remote command execution via a modified command in conjunction with CVE-2017-16673 exploitation, aka an attack with a malformed primary whitelisted command and a secondary non-whitelisted command. This affects Datto Windows Agent (DWA)… | ||
| CVE-2020-37047 | Hig | 0.51 | 7.8 | 0.00 | Feb 1, 2026 | Deep Instinct Windows Agent 1.2.29.0 contains an unquoted service path vulnerability in the DeepMgmtService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files\HP Sure Sense\DeepMgmtService.exe… | ||
| CVE-2020-36934 | Hig | 0.51 | 7.8 | 0.00 | Jan 25, 2026 | Deep Instinct Windows Agent 1.2.24.0 contains an unquoted service path vulnerability in the DeepNetworkService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files\HP Sure… | ||
| CVE-2015-9256 | Med | 0.35 | 5.3 | 0.01 | Feb 20, 2018 | Datto ALTO and SIRIS devices allow remote attackers to obtain sensitive information via access to device/VM restore mount points, because they do not have ACLs by default. | ||
| CVE-2015-9255 | Med | 0.35 | 5.3 | 0.01 | Feb 20, 2018 | Datto ALTO and SIRIS devices allow remote attackers to obtain sensitive information about data, software versions, configuration, and virtual machines via a request to a Web Virtual Directory. | ||
| CVE-2017-16673 | Med | 0.34 | 5.3 | 0.00 | Nov 9, 2017 | Datto Backup Agent 1.0.6.0 and earlier does not authenticate incoming connections. This allows an attacker to impersonate a Datto Backup Appliance to "pair" with the agent and issue requests to this agent, if the attacker can reach the agent on TCP port 25566 or 25568, and send… | ||
| CVE-2024-38864 | 0.00 | — | 0.00 | Dec 19, 2024 | Incorrect permissions on the Checkmk Windows Agent's data directory in Checkmk < 2.3.0p23, < 2.2.0p38 and <= 2.1.0p49 (EOL) allows a local attacker to read sensitive data. |
- risk 0.64cvss 9.8epss 0.01
Datto ALTO and SIRIS devices have a default VNC password.
- risk 0.64cvss 9.8epss 0.03
Datto ALTO and SIRIS devices allow Remote Code Execution via unauthenticated requests to PHP scripts.
- risk 0.52cvss 8.0epss 0.01
Datto Windows Agent allows unauthenticated remote command execution via a modified command in conjunction with CVE-2017-16673 exploitation, aka an attack with a malformed primary whitelisted command and a secondary non-whitelisted command. This affects Datto Windows Agent (DWA)…
- risk 0.51cvss 7.8epss 0.00
Deep Instinct Windows Agent 1.2.29.0 contains an unquoted service path vulnerability in the DeepMgmtService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files\HP Sure Sense\DeepMgmtService.exe…
- risk 0.51cvss 7.8epss 0.00
Deep Instinct Windows Agent 1.2.24.0 contains an unquoted service path vulnerability in the DeepNetworkService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files\HP Sure…
- risk 0.35cvss 5.3epss 0.01
Datto ALTO and SIRIS devices allow remote attackers to obtain sensitive information via access to device/VM restore mount points, because they do not have ACLs by default.
- risk 0.35cvss 5.3epss 0.01
Datto ALTO and SIRIS devices allow remote attackers to obtain sensitive information about data, software versions, configuration, and virtual machines via a request to a Web Virtual Directory.
- risk 0.34cvss 5.3epss 0.00
Datto Backup Agent 1.0.6.0 and earlier does not authenticate incoming connections. This allows an attacker to impersonate a Datto Backup Appliance to "pair" with the agent and issue requests to this agent, if the attacker can reach the agent on TCP port 25566 or 25568, and send…
- CVE-2024-38864Dec 19, 2024risk 0.00cvss —epss 0.00
Incorrect permissions on the Checkmk Windows Agent's data directory in Checkmk < 2.3.0p23, < 2.2.0p38 and <= 2.1.0p49 (EOL) allows a local attacker to read sensitive data.