CVE-2021-30120 – This vulnerability allows attackers to bypass t... (How to Fix)

Q: What is the severity of CVE-2021-30120?

CVE-2021-30120 has a CVSS score of 9.9 (CRITICAL). This vulnerability allows attackers to bypass two-factor authentication (2FA) in Kaseya VSA by manipulating client-side authentication logic. Attackers who obtain valid credentials can use a proxy to modify server responses and gain unauthorized access without providing the second factor. This affects all Kaseya VSA users with 2FA enabled on versions before 9.5.7.

📋 TL;DR

This vulnerability allows attackers to bypass two-factor authentication (2FA) in Kaseya VSA by manipulating client-side authentication logic. Attackers who obtain valid credentials can use a proxy to modify server responses and gain unauthorized access without providing the second factor. This affects all Kaseya VSA users with 2FA enabled on versions before 9.5.7.

💻 Affected Systems

Products:

Kaseya Virtual System Administrator (VSA)

Versions: All versions before 9.5.7

Operating Systems: Windows Server, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with 2FA enabled. The vulnerability exists in the authentication flow regardless of specific configuration settings.

📦 What is this software?

Vsa by Kaseya

View all CVEs affecting Vsa →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Kaseya VSA management platform, allowing attackers to deploy ransomware, steal sensitive data, and gain persistent access to managed endpoints across an organization's entire infrastructure.

🟠

Likely Case

Unauthorized administrative access to the VSA console, enabling attackers to execute arbitrary commands on managed systems, deploy malware, and escalate privileges across the network.

🟢

If Mitigated

Limited impact if strong network segmentation, strict access controls, and comprehensive monitoring are in place to detect and block unauthorized authentication attempts.

🌐 Internet-Facing: HIGH - Kaseya VSA is often exposed to the internet for remote management, making it directly accessible to attackers worldwide.

🏢 Internal Only: HIGH - Even internally, compromised credentials combined with this bypass can lead to full system compromise.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires valid username/password credentials and the ability to intercept/modify HTTP traffic. The technique is well-documented and requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.5.7 and later

Vendor Advisory: https://help.kaseya.com/webhelp/EN/RN/index.htm#VSA/ReleaseNotes/Release_Notes_9.5.7.htm

Restart Required: Yes

Instructions:

1. Backup current VSA configuration and database. 2. Download Kaseya VSA 9.5.7 or later from the Kaseya support portal. 3. Run the installer and follow upgrade prompts. 4. Restart VSA services. 5. Verify authentication now properly validates 2FA server-side.

🔧 Temporary Workarounds

Disable 2FA temporarily

all

Temporarily disable two-factor authentication until patching can be completed, reducing the attack surface but increasing other authentication risks.

Navigate to VSA Admin > Security Settings > Two-Factor Authentication > Disable

Network isolation

all

Restrict access to VSA console to specific IP ranges using firewall rules to limit exposure.

# Example iptables rule for Linux
iptables -A INPUT -p tcp --dport 5721 -s TRUSTED_IP_RANGE -j ACCEPT
# Windows Firewall
New-NetFirewallRule -DisplayName "Restrict VSA Access" -Direction Inbound -LocalPort 5721 -Protocol TCP -RemoteAddress TRUSTED_IP_RANGE -Action Allow

🧯 If You Can't Patch

Implement strict network segmentation to isolate VSA servers from general network traffic and critical systems
Enforce strong password policies and credential monitoring to detect compromised accounts before they can be exploited

🔍 How to Verify

Check if Vulnerable:

Check VSA version in Admin > System > About. If version is below 9.5.7 and 2FA is enabled, the system is vulnerable.

Check Version:

In VSA web interface: Admin > System > About, or check registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Kaseya\VSAServer\Version

Verify Fix Applied:

After upgrading to 9.5.7+, attempt to authenticate with valid credentials while using a proxy to modify MFARequired flag. Authentication should fail if 2FA is required.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts followed by successful login without 2FA challenge
Unusual source IP addresses accessing VSA console
Authentication logs showing MFARequired flag manipulation

Network Indicators:

HTTP traffic to VSA login endpoint with modified response headers
Proxy tools like Burp Suite communicating with VSA servers
Unusual authentication patterns bypassing normal 2FA flow

SIEM Query:

source="vsa_logs" AND (event_type="authentication" AND mfa_bypass="true") OR (http_request_modified="true" AND destination_port="5721")

📊 Metadata

CVE ID: CVE-2021-30120

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-669

Published: July 9, 2021

Last Updated: November 21, 2024

🔗 References

https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ Patch,Third Party Advisory
https://csrit.divd.nl/CVE-2021-30120 Permissions Required,Third Party Advisory
https://csrit.divd.nl/DIVD-2021-00011 Permissions Required,Third Party Advisory
https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ Patch,Third Party Advisory
https://csrit.divd.nl/CVE-2021-30120 Permissions Required,Third Party Advisory
https://csrit.divd.nl/DIVD-2021-00011 Permissions Required,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-30120, you might also want to check these: