Cyber Resilience

CVE-2021-30120

Critical

Published: 09 July 2021

Published
09 July 2021
Modified
21 November 2024
KEV Added
Patch
07 July 2021
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0041 61.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-30120 is a critical-severity Incorrect Resource Transfer Between Spheres (CWE-669) vulnerability in Kaseya Vsa. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 38.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Thus rendering 2FA useless. Detailed description --- During…

more

the login process, after the user authenticates with username and password, the server sends a response to the client with the booleans MFARequired and MFAEnroled. If the attacker has obtained a password of a user and used an intercepting proxy (e.g. Burp Suite) to change the value of MFARequered from True to False, there is no prompt for the second factor, but the user is still logged in.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

kaseya
vsa
≤ 9.5.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-669

Enforces proper authorization rules for any resource or data transfer between different spheres.

addresses: CWE-669

Accountability, documentation, and protection requirements ensure correct transfer of media resources between spheres.

addresses: CWE-669

Reduces incorrect transfers between spheres by establishing clear, separate domains for different sensitivities or functions.

addresses: CWE-669

It governs all resource transfers between spheres, preventing incorrect or unauthorized movement of data or capabilities across domain interfaces.

addresses: CWE-669

Addresses incorrect transfer of resources to an uncontrolled sphere by requiring approved destruction or sanitization methods.

References