CVE-2021-30201 – This is an XML External Entity (XXE) vulnerabil... (How to Fix)

Q: What is the severity of CVE-2021-30201?

CVE-2021-30201 has a CVSS score of 7.5 (HIGH). This is an XML External Entity (XXE) vulnerability in Kaseya VSA's web service API that allows attackers to read arbitrary files on the server and potentially pivot into internal networks. The vulnerability affects Kaseya VSA systems with the vulnerable API endpoint exposed. Attackers can exploit this without authentication to exfiltrate sensitive configuration files and credentials.

📋 TL;DR

This is an XML External Entity (XXE) vulnerability in Kaseya VSA's web service API that allows attackers to read arbitrary files on the server and potentially pivot into internal networks. The vulnerability affects Kaseya VSA systems with the vulnerable API endpoint exposed. Attackers can exploit this without authentication to exfiltrate sensitive configuration files and credentials.

💻 Affected Systems

Products:

Kaseya Virtual System Administrator (VSA)

Versions: Versions prior to 9.5.6 (specifically fixed in Feature Release 8, May 2021)

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerable endpoint /vsaWS/KaseyaWS.asmx is part of the standard Kaseya VSA web service interface.

📦 What is this software?

Vsa by Kaseya

View all CVEs affecting Vsa →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Kaseya server leading to credential theft, lateral movement through the network, and potential ransomware deployment across managed endpoints.

🟠

Likely Case

Exfiltration of sensitive configuration files containing credentials, enabling further attacks against the Kaseya infrastructure and managed systems.

🟢

If Mitigated

Limited to denial of service through error generation if external entity resolution is blocked but XML parsing still fails.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is typically exposed to manage remote systems, making internet-facing instances prime targets.

🏢 Internal Only: HIGH - Even internally, this provides attackers with file read capabilities that can lead to credential theft and lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The exploit requires only HTTP POST requests with crafted XML payloads and has been used in real-world attacks including the 2021 Kaseya ransomware incident.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.5.6 (Feature Release 8, May 2021)

Vendor Advisory: https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Download Kaseya VSA 9.5.6 or later from Kaseya support portal. 3. Run the installer on the VSA server. 4. Restart the Kaseya services. 5. Verify the patch by checking the version in the VSA interface.

🔧 Temporary Workarounds

Disable XXE Processing in XML Parser

windows

Configure the XML parser to disable external entity resolution and DTD processing

For .NET applications: Set XmlReaderSettings.DtdProcessing = DtdProcessing.Prohibit and XmlReaderSettings.XmlResolver = null

Network Segmentation and Access Control

all

Restrict access to the vulnerable endpoint using firewall rules or web application firewalls

Block external access to /vsaWS/KaseyaWS.asmx at network perimeter
Implement IP whitelisting for the Kaseya API endpoint

🧯 If You Can't Patch

Implement strict network segmentation to isolate Kaseya VSA from other critical systems
Deploy a web application firewall (WAF) with XXE protection rules in front of the Kaseya server

🔍 How to Verify

Check if Vulnerable:

Send a crafted XXE payload to POST /vsaWS/KaseyaWS.asmx and check if file contents are returned in error messages

Check Version:

Check Help > About in Kaseya VSA web interface or examine installed programs in Windows Control Panel

Verify Fix Applied:

Attempt the same XXE payload after patching - should receive generic error without file contents

📡 Detection & Monitoring

Log Indicators:

HTTP 500 errors with XML parsing exceptions in web server logs
Unusual POST requests to /vsaWS/KaseyaWS.asmx with XML containing DOCTYPE or ENTITY declarations
Outbound connections from Kaseya server to unexpected external IPs

Network Indicators:

XML payloads containing external entity references in HTTP POST requests
Unusual file read patterns from the Kaseya server process

SIEM Query:

source="web_server_logs" AND (uri="/vsaWS/KaseyaWS.asmx" AND status=500 AND message="XML" AND (message="entity" OR message="DTD"))

📊 Metadata

CVE ID: CVE-2021-30201

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-611

Published: July 9, 2021

Last Updated: November 21, 2024

🔗 References

https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ Patch,Third Party Advisory
https://csirt.divd.nl/CVE-2021-30201 Exploit,Third Party Advisory
https://csirt.divd.nl/DIVD-2021-00011 Patch,Third Party Advisory
https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021 Release Notes,Vendor Advisory
https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ Patch,Third Party Advisory
https://csirt.divd.nl/CVE-2021-30201 Exploit,Third Party Advisory
https://csirt.divd.nl/DIVD-2021-00011 Patch,Third Party Advisory
https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021 Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-30201, you might also want to check these: