CVE-2021-30118 – CVE-2021-30118 is an unauthenticated arbitrary ... (How to Fix)

Q: What is the severity of CVE-2021-30118?

CVE-2021-30118 has a CVSS score of 9.8 (CRITICAL). CVE-2021-30118 is an unauthenticated arbitrary file upload vulnerability in Kaseya VSA that allows remote attackers to upload malicious ASP.NET files and execute arbitrary code with web server privileges. This affects Kaseya VSA Unified Remote Monitoring & Management (RMM) version 9.5.4.2149. Attackers can achieve full system compromise without authentication.

📋 TL;DR

CVE-2021-30118 is an unauthenticated arbitrary file upload vulnerability in Kaseya VSA that allows remote attackers to upload malicious ASP.NET files and execute arbitrary code with web server privileges. This affects Kaseya VSA Unified Remote Monitoring & Management (RMM) version 9.5.4.2149. Attackers can achieve full system compromise without authentication.

💻 Affected Systems

Products:

Kaseya VSA Unified Remote Monitoring & Management (RMM)

Versions: 9.5.4.2149

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects the /SystemTab/uploader.aspx endpoint which is accessible by default.

📦 What is this software?

Vsa by Kaseya

View all CVEs affecting Vsa →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise leading to data theft, ransomware deployment, credential harvesting, and lateral movement across the network.

🟠

Likely Case

Web shell deployment leading to persistent backdoor access, data exfiltration, and potential ransomware deployment.

🟢

If Mitigated

Limited impact with proper network segmentation, but still significant risk to the affected VSA server.

🌐 Internet-Facing: HIGH - Exploitation requires no authentication and can be performed remotely over HTTP.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows complete compromise of the VSA server.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires simple HTTP POST request with crafted parameters. Session ID validation bypass allows any numeric cookie value.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.5.5 and later

Vendor Advisory: https://helpdesk.kaseya.com/hc/en-gb/articles/360019054377-9-5-5-Feature-Release-10-April-2021

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Download and install Kaseya VSA version 9.5.5 or later from Kaseya support portal. 3. Restart the VSA service. 4. Verify the patch is applied by checking version.

🔧 Temporary Workarounds

Block access to vulnerable endpoint

all

Use web application firewall or network firewall to block access to /SystemTab/uploader.aspx

# Example iptables rule for Linux: iptables -A INPUT -p tcp --dport 80 -m string --string "/SystemTab/uploader.aspx" --algo bm -j DROP
# Example Windows Firewall rule: New-NetFirewallRule -DisplayName "Block Kaseya Uploader" -Direction Inbound -Protocol TCP -LocalPort 80 -RemoteAddress Any -Action Block -Program "%SystemRoot%\system32\svchost.exe" -Service "http" -Profile Any

Restrict network access to VSA

all

Limit VSA server access to trusted management networks only

# Configure firewall to allow only specific source IPs to access VSA port
# Example: iptables -A INPUT -p tcp --dport 80 -s 10.0.0.0/24 -j ACCEPT
# Example: iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Immediately isolate the VSA server from internet access and restrict to management VLAN only
Implement strict file integrity monitoring on web directories and alert on new ASPX file creation

🔍 How to Verify

Check if Vulnerable:

Check if version is 9.5.4.2149 via VSA web interface or by examining installed software in Control Panel

Check Version:

Check VSA web interface login page or examine installed programs list for Kaseya VSA version

Verify Fix Applied:

Verify version is 9.5.5 or later and test that /SystemTab/uploader.aspx endpoint properly validates authentication

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /SystemTab/uploader.aspx with qqfile and PathData parameters
Creation of new ASPX files in web directories
Unusual process execution from w3wp.exe or IIS worker processes

Network Indicators:

HTTP POST to /SystemTab/uploader.aspx with file upload parameters
Subsequent requests to newly created ASPX files
Unusual outbound connections from VSA server

SIEM Query:

source="web_server_logs" AND (uri="/SystemTab/uploader.aspx" AND method="POST") OR (file_creation AND extension=".aspx" AND path="*webroot*")

📊 Metadata

CVE ID: CVE-2021-30118

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: July 9, 2021

Last Updated: November 21, 2024

🔗 References

https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ Patch,Third Party Advisory
https://csirt.divd.nl/CVE-2021-30118 Exploit,Third Party Advisory
https://csirt.divd.nl/DIVD-2021-00011 Patch,Third Party Advisory
https://helpdesk.kaseya.com/hc/en-gb/articles/360019054377-9-5-5-Feature-Release-10-April-2021 Release Notes,Vendor Advisory
https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ Patch,Third Party Advisory
https://csirt.divd.nl/CVE-2021-30118 Exploit,Third Party Advisory
https://csirt.divd.nl/DIVD-2021-00011 Patch,Third Party Advisory
https://helpdesk.kaseya.com/hc/en-gb/articles/360019054377-9-5-5-Feature-Release-10-April-2021 Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-30118, you might also want to check these: