CVE-2021-30116
Published: 09 July 2021
Summary
CVE-2021-30116 is a critical-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Kaseya Vsa Agent. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
Kaseya VSA versions prior to 9.5.7 contain a credential disclosure vulnerability tracked as CVE-2021-30116 and assigned CWE-522. The on-premises product exposes a default unauthenticated download page at /dl.asp that permits retrieval of Windows client installers. After installation, the generated KaseyaD.ini file (typically under C:\Program Files (x86)\Kaseya\...) stores an Agent_Guid and AgentPassword that can be replayed directly to the same endpoint.
An attacker with network access to the VSA server can download and execute a client installer to obtain the credentials, then submit them via a GET request to /dl.asp. Successful authentication returns a sessionId cookie that grants access to additional functionality not intended for agent use, enabling further semi-authenticated attacks against the VSA server and managed endpoints. The flaw received a CVSS 3.1 score of 10.0 reflecting its unauthenticated, network-exploitable nature and full impact on confidentiality, integrity, and availability.
Public advisories from Kaseya and the Dutch Institute for Vulnerability Disclosure (DIVD) confirm that the issue was exploited in the wild in early July 2021 and recommend immediate upgrade to VSA 9.5.7 or later. The referenced Kaseya notice and DIVD reports also highlight removal of the exposed download page and hardening of credential handling as part of the remediation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-17056
Vulnerability details
Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page…
more
is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\Program Files (x86)\Kaseya\XXXXXXXXXX\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks on endpoints such as /dl.asp so that Agent_Guid/AgentPassword pairs cannot be replayed to obtain a sessionId.
Ensures the agent credentials stored in KaseyaD.ini are restricted to the narrow set of agent-only functions and cannot be used for broader semi-authenticated operations.
Requires proper generation, storage, and transmission of authenticators so that plaintext credentials are not written to KaseyaD.ini or accepted over GET requests.