CVE-2021-30116
CVE-2021-30116 is a critical-severity vulnerability in Kaseya Vsa Agent with a CVSS 3.x base score of 10.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-522.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- CVSS v2: 7.5
- EPSS exploit prediction: 86% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2021-17056
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-522
- Affected product: Kaseya Vsa Agent
- Published:
- Last modified:
Description
Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\Program Files (x86)\Kaseya\XXXXXXXXXX\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system.
CVE-2021-30116: Kaseya VSA Credential Disclosure via Client Installer Leak
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2021-30116 |
| CVSS v3 | 10.0 (Critical) |
| CVSS v2 | 7.5 |
| EPSS | 0.85619 |
| KEV | Yes (added 2021-11-03) |
| CWE | CWE-522 |
| Published | 2021-07-09 |
| Source | NVD |
Summary
Kaseya VSA before 9.5.7 exposes agent credentials through an unauthenticated client download endpoint (/dl.asp). An attacker can download a legitimate VSA agent installer, extract hardcoded credentials from the generated KaseyaD.ini file, and use those credentials to authenticate against the same download page. This yields a valid sessionId cookie that bypasses normal authentication and enables further semi-authenticated attacks against the VSA server and its managed clients. This vulnerability was actively exploited in the wild in July 2021 in conjunction with the REvil ransomware campaign.
Background
Kaseya VSA is a widely deployed remote monitoring and management (RMM) platform used by managed service providers (MSPs) to administer endpoints at scale. In July 2021, the platform became the focal point of a major supply-chain attack when threat actors leveraged multiple vulnerabilities—including this credential disclosure flaw—to compromise VSA servers and push ransomware downstream to MSP customers. The Dutch Institute for Vulnerability Disclosure (DIVD) and CISA both published advisories highlighting the severity of the exposure. Because VSA agents are pre-configured with credentials to phone home, those same credentials became a pathway for lateral movement and server compromise.
Root Cause
CWE-522: Insufficiently Protected Credentials.
The root cause is a design flaw in how Kaseya VSA provisions agent credentials. When a Windows agent installer is downloaded from the unauthenticated /dl.asp page and installed, it creates a local configuration file (KaseyaD.ini) containing an Agent_Guid and AgentPassword. These values are not unique to the endpoint or tied to a specific user session; instead, they are effectively shared secrets that the agent uses to authenticate back to the VSA server. The /dl.asp endpoint itself accepts these credentials via a GET request query string, returning a session cookie upon successful validation. Because the download page is unauthenticated, anyone can obtain the installer, extract the credentials, and replay them to obtain a session token. This is a classic case of credentials being insufficiently protected in transit and at rest, compounded by the fact that the same secret is reused across agents.
Impact
The CVSS v3 score of 10.0 (Critical) reflects the severity of this vulnerability:
- Attack Vector (AV): Network — The
/dl.aspendpoint is reachable over the network. - Attack Complexity (AC): Low — No special tools or conditions are required; downloading an installer and reading a local file is trivial.
- Privileges Required (PR): None — The download page is unauthenticated.
- User Interaction (UI): None — The attacker does not need to trick a user.
- Scope (S): Changed — Compromising the VSA server can affect all managed clients.
- Confidentiality (C): High — The attacker gains access to the VSA server and its managed endpoints.
- Integrity (I): High — Session hijacking allows the attacker to modify policies, deploy scripts, or push malware.
- Availability (A): High — The attacker can disrupt service or deploy ransomware, as observed in the July 2021 incidents.
In practice, this flaw was a prerequisite for downstream exploitation; it did not grant remote code execution by itself, but it bypassed authentication and enabled threat actors to chain additional vulnerabilities against the VSA server.
Exploitation Walkthrough
Ethics Notice: This section describes the vulnerability mechanism from a defensive perspective only. The purpose is to help defenders understand the attack surface and validate mitigations. No weaponized exploit code is provided.
- Reconnaissance: The attacker identifies an on-premise Kaseya VSA server (typically via internet scanning for known VSA endpoints or MSP infrastructure).
- Download: The attacker visits the unauthenticated client download page at
https://<vsa-server>/dl.asp. - Installer Extraction: The attacker downloads the Windows VSA agent installer and installs it in a controlled environment.
- Credential Harvesting: After installation, the attacker opens the generated
KaseyaD.inifile (located underC:\Program Files (x86)\Kaseya\<agent-id>\KaseyaD.ini) and extracts theAgent_GuidandAgentPasswordvalues. - Session Acquisition: The attacker issues a GET request to
/dl.aspwith the harvestedun(Agent_Guid) andpw(AgentPassword) parameters. The server validates the credentials and returns asessionIdcookie. - Lateral Abuse: With the session cookie, the attacker can access VSA services not intended for agents, chaining additional vulnerabilities or abusing administrative functionality to compromise the server and its managed clients.
This sequence was observed in the wild during the July 2021 REvil campaign, where compromised VSA servers were used to distribute ransomware to downstream customers.
Affected and Patched Versions
| Status | Product | Versions |
|---|---|---|
| Affected | Kaseya VSA Server | Before 9.5.7 |
| Affected | Kaseya VSA Agent | Before 9.5.7 |
| Patched | Kaseya VSA Server | 9.5.7 and later |
| Patched | Kaseya VSA Agent | 9.5.7 and later |
Exact patch details should be verified against Kaseya's official release notes. The CPE identifiers registered in NVD are cpe:2.3:a:kaseya:vsa_agent:*:*:*:*:*:*:*:* and cpe:2.3:a:kaseya:vsa_server:*:*:*:*:*:*:*:*.
Remediation
Primary:
- Upgrade Kaseya VSA Server and agents to version 9.5.7 or later as soon as possible. Kaseya released this patch specifically to address the credential disclosure and authentication bypass issues exploited during the July 2021 incidents.
Compensating Controls (if immediate patching is not feasible):
- Network Segmentation: Restrict access to
/dl.aspand the VSA web interface to trusted IP ranges or VPN-only access. Do not expose the VSA server directly to the internet unless absolutely necessary. - WAF / Reverse Proxy Rules: Implement Web Application Firewall rules to block or rate-limit requests to
/dl.aspfrom untrusted sources. - Credential Rotation: If supported by your version, rotate agent credentials and ensure they are unique per endpoint rather than shared across the fleet.
- Monitoring: Deploy network and endpoint monitoring to detect unusual access to
/dl.aspor anomaloussessionIdcookie usage from unexpected source IPs. - Disable Unnecessary Endpoints: If the client download page is not required for remote onboarding, disable or relocate it behind authenticated portals.
Detection
Defenders can detect exploitation or attempted exploitation through the following indicators:
- Web Server Logs: Monitor for repeated or anomalous GET requests to
/dl.asp, especially from unexpected source IPs or geolocations. - Authentication Anomalies: Alert on
sessionIdcookie issuance to/dl.aspwhen the source IP is not associated with a known managed endpoint. - File Integrity: Monitor for unexpected access to
KaseyaD.inion endpoints, or detect instances where the file is copied, archived, or exfiltrated. - Network Traffic: Look for inbound connections to
/dl.aspfollowed by outbound sessions to the VSA API from the same source IP, which may indicate a successful session hijacking attempt. - Endpoint Detection: Use EDR tools to flag when the VSA agent installer is downloaded and executed on non-managed or non-standard devices.
Assessment
EPSS & KEV Context:
With an EPSS score of 0.85619, this vulnerability sits in the top ~0.3% of all CVEs by exploitation probability. Its inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog on 2021-11-03—and the EU's exploited vulnerability database on the same date—confirms that threat actors have weaponized this flaw in real campaigns. The July 2021 REvil ransomware attacks are the canonical example of its impact at scale.
Key Lessons:
- Credentials Embedded in Client Software Are a Liability: Any secret shipped inside a downloadable client installer can be extracted by an attacker. Authentication should rely on per-device, per-user, or ephemeral credentials—not hardcoded or shared secrets.
- Unauthenticated Endpoints Are Prime Attack Surface: A seemingly innocuous download page can become a critical vulnerability when it leaks authentication material. Every unauthenticated endpoint should be evaluated for information disclosure risks.
References
- https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/
- https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/
- https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021
- https://www.secpod.com/blog/kaseya-vsa-zero-day-by-revil/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-30116
Frequently asked questions
- What is CVE-2021-30116?
- Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\Program Files (x86)\Kaseya\XXXXXXXXXX\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system.
- How severe is CVE-2021-30116?
- CVE-2021-30116 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2021-30116 being actively exploited?
- Yes. CVE-2021-30116 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-30116?
- CVE-2021-30116 primarily affects Kaseya Vsa Agent. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-30116?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-30116 have an EU (EUVD) identifier?
- Yes. CVE-2021-30116 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-17056. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2021-30116 published?
- CVE-2021-30116 was published on 2021-07-09 and last updated on 2026-06-17.
References
- https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/
- https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/
- https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021
- https://www.secpod.com/blog/kaseya-vsa-zero-day-by-revil/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-30116
Affected products (2)
- cpe:2.3:a:kaseya:vsa_agent:*:*:*:*:*:*:*:*
- cpe:2.3:a:kaseya:vsa_server:*:*:*:*:*:*:*:*
Other CWE-522 (Insufficiently Protected Credentials) vulnerabilities
- CVE-2026-7312 — Critical (CVSS 10.0): CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to…
- CVE-2026-29128 — Critical (CVSS 10.0): IDC SFX2100 Satellite Receiver firmware ships with multiple daemon configuration files for routing components (e.g.,…
- CVE-2025-54863 — Critical (CVSS 10.0): Radiometrics VizAir is vulnerable to exposure of the system's REST API key through a publicly accessible configuration…
- CVE-2024-12799 — Critical (CVSS 10.0): Insufficiently Protected Credentials vulnerability in OpenText Identity Manager Advanced Edition on Windows, Linux, 64…
- CVE-2024-51545 — Critical (CVSS 10.0): Username Enumeration vulnerabilities allow access to application level username add, delete, modify and list…
- CVE-2023-1778 — Critical (CVSS 10.0): This vulnerability exists in GajShield Data Security Firewall firmware versions prior to v4.28 (except v4.21) due to…
Browse all CWE-522 (Insufficiently Protected Credentials) vulnerabilities →