CVE-2021-30116 – CVE-2021-30116 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2021-30116?

CVE-2021-30116 has a CVSS score of 10.0 (CRITICAL). CVE-2021-30116 is an authentication bypass vulnerability in Kaseya VSA that allows unauthenticated attackers to obtain agent credentials and use them to gain authenticated access. This affects Kaseya VSA on-premise installations before version 9.5.7. Attackers can leverage this to compromise the Kaseya management system and potentially all managed endpoints.

📋 TL;DR

CVE-2021-30116 is an authentication bypass vulnerability in Kaseya VSA that allows unauthenticated attackers to obtain agent credentials and use them to gain authenticated access. This affects Kaseya VSA on-premise installations before version 9.5.7. Attackers can leverage this to compromise the Kaseya management system and potentially all managed endpoints.

💻 Affected Systems

Products:

Kaseya Virtual System Administrator (VSA)

Versions: All versions before 9.5.7

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects on-premise installations. Cloud/SaaS deployments were patched by Kaseya. The dl.asp page is accessible by default.

📦 What is this software?

Vsa Agent by Kaseya

View all CVEs affecting Vsa Agent →

Vsa Server by Kaseya

View all CVEs affecting Vsa Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Kaseya VSA management server leading to ransomware deployment across all managed endpoints, data exfiltration, and lateral movement throughout the enterprise network.

🟠

Likely Case

Attackers gain administrative access to Kaseya VSA, deploy malware to managed endpoints, and potentially encrypt systems with ransomware as seen in the REvil attacks of July 2021.

🟢

If Mitigated

Limited impact if proper network segmentation, monitoring, and access controls prevent lateral movement from compromised systems.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable via the internet-facing dl.asp page, making exposed systems immediately vulnerable to widespread attacks.

🏢 Internal Only: HIGH - Even internally accessible systems are vulnerable to attackers who gain initial access through other means or insider threats.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Actively exploited in the wild by REvil ransomware group in July 2021. Exploitation requires downloading agent installer and extracting credentials from KaseyaD.ini file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.5.7

Vendor Advisory: https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021

Restart Required: Yes

Instructions:

1. Immediately upgrade Kaseya VSA to version 9.5.7 or later. 2. Follow Kaseya's emergency security patch instructions. 3. Restart the VSA server and all managed agents. 4. Rotate all credentials and session tokens.

🔧 Temporary Workarounds

Disable dl.asp endpoint

windows

Block or disable the vulnerable dl.asp download page to prevent credential leakage

# Configure web server to block access to /dl.asp
# Use IIS URL Rewrite or similar to deny access

Network segmentation and firewall rules

windows

Restrict access to Kaseya VSA server to only trusted management networks

# Example firewall rule to restrict access
New-NetFirewallRule -DisplayName "Block Kaseya External" -Direction Inbound -Protocol TCP -LocalPort 443 -RemoteAddress Internet -Action Block

🧯 If You Can't Patch

Immediately take Kaseya VSA servers offline and disconnect from networks
Implement strict network segmentation and monitor all traffic to/from Kaseya servers

🔍 How to Verify

Check if Vulnerable:

Check if Kaseya VSA version is below 9.5.7 and verify if https://[server]/dl.asp is accessible without authentication

Check Version:

Check Kaseya VSA web interface or server properties for version information

Verify Fix Applied:

Verify Kaseya VSA version is 9.5.7 or later and test that dl.asp no longer accepts agent credentials for authentication

📡 Detection & Monitoring

Log Indicators:

Unusual access to dl.asp endpoint
Multiple failed authentication attempts followed by successful agent authentication
Unexpected agent installations or connections

Network Indicators:

HTTP GET requests to dl.asp with credential parameters
Unusual outbound connections from Kaseya server
Traffic patterns matching REvil ransomware indicators

SIEM Query:

source="kaseya.logs" AND (uri="/dl.asp" OR (event="authentication" AND user="agent_*"))

📊 Metadata

CVE ID: CVE-2021-30116

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-522

Published: July 9, 2021

Last Updated: November 10, 2025

🔗 References

https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/ Third Party Advisory
https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ Third Party Advisory
https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021 Vendor Advisory
https://www.secpod.com/blog/kaseya-vsa-zero-day-by-revil/ Exploit,Third Party Advisory
https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/ Third Party Advisory
https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ Third Party Advisory
https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021 Vendor Advisory
https://www.secpod.com/blog/kaseya-vsa-zero-day-by-revil/ Exploit,Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-30116 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-30116, you might also want to check these: