Datto Backup Agent 1.0.6.0 and earlier does not authenticate incoming connections. This allows an attacker to impersonate a Datto Backup Appliance to "pair" with the agent and issue requests to this a...

Datto Windows Agent allows unauthenticated remote command execution via a modified command in conjunction with CVE-2017-16673 exploitation, aka an attack with a malformed primary whitelisted command a...

Datto ALTO and SIRIS devices allow Remote Code Execution via unauthenticated requests to PHP scripts.

Datto ALTO and SIRIS devices have a default VNC password.

Datto ALTO and SIRIS devices allow remote attackers to obtain sensitive information about data, software versions, configuration, and virtual machines via a request to a Web Virtual Directory.

Datto ALTO and SIRIS devices allow remote attackers to obtain sensitive information via access to device/VM restore mount points, because they do not have ACLs by default.