LiveActive security incident?Get immediate response
CVE Record

CVE-2021-30116: Unauthenticated credential leak and business logic flaw in Kaseya VSA <= v9.5.6

Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\Program Files (x86)\Kaseya\XXXXXXXXXX\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system.

CriticalCVSS 10Known exploitedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

Kaseya VSA before 9.5.7 exposed agent credentials through an unauthenticated download flow. Those credentials could be misused to obtain a session and support further attacks. This is critical because VSA is an MSP management platform with broad downstream reach, and the CVE is in CISA KEV.

Executive priority

Treat this as urgent for any legacy or unverified Kaseya VSA deployment. The business risk is amplified by MSP trust relationships and the historical ransomware exploitation context.

Technical view

The issue combines credential disclosure and business logic failure around VSA agent download and authentication behavior. Leaked agent identifiers and passwords could authenticate to services not intended for agents, enabling semi-authenticated follow-on activity. The CVE has CVSS 10.0 and CWE-522.

Likely exposure

Organizations running on-premises Kaseya VSA versions earlier than 9.5.7 are the primary exposure. Internet-facing VSA servers and MSP environments managing many client endpoints carry higher business impact.

Exploitation context

The bundle states this was exploited in the wild in July 2021, and CISA lists CVE-2021-30116 in KEV. Current exploitation beyond those sources is not established here.

Researcher notes

The provided affected metadata is sparse, but the description identifies Kaseya VSA before 9.5.7. Avoid assuming additional products or fixes. Focus validation on version, exposure of the download flow, credential misuse, and follow-on VSA session activity.

Mitigation direction

  • Upgrade Kaseya VSA to version 9.5.7 or later.
  • Review Kaseya’s July 2021 vendor guidance before restoring exposed VSA systems.
  • Restrict external access to VSA management interfaces wherever operationally possible.
  • Rotate exposed or potentially exposed VSA agent credentials.
  • Assess managed endpoints for compromise indicators from the July 2021 campaign.

Validation and detection

  • Inventory all Kaseya VSA instances and record exposed versions.
  • Confirm no on-premises VSA server remains below 9.5.7.
  • Check whether VSA download functionality is externally reachable.
  • Review VSA authentication logs for unexpected agent credential use.
  • Validate endpoint telemetry for follow-on activity after suspicious VSA access.
Prepared
Confidence
high
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-522: Credential and account abuse lookup

Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Credential and access behavior lookup

The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2021-30116 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
10 (3.1)
Known Exploited
Yes
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
6Source links

CISA KEV status

Status
Known exploited
Source
CISA / ADP
Date added
Not provided

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
10CVSS 3.1CriticalCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H3.96Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

10Critical
CVSS 3.1 vector shape for CVE-2021-30116Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-522 · source CWE mapping

Insufficiently Protected Credentials

Insufficiently Protected Credentials represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.