CVE-2021-30116: Kaseya VSA Agent Auth Bypass Vulnerability

CVE-2021-30116 Overview

CVE-2021-30116 is a critical credential disclosure vulnerability in Kaseya VSA that was actively exploited in the wild during the notorious July 2021 supply chain attack. The vulnerability exists in Kaseya VSA versions before 9.5.7 and allows attackers to obtain valid credentials through the default download page (/dl.asp), which can then be leveraged to bypass authentication and gain unauthorized access to the system.

By default, Kaseya VSA on-premise installations expose a download page where agent clients can be obtained. When an attacker downloads and installs a Windows client, the file KaseyaD.ini is generated containing an Agent_Guid and AgentPassword. These credentials can be used to authenticate against the download page and obtain a sessionId cookie, enabling subsequent attacks that bypass authentication mechanisms.

Critical Impact
This vulnerability was exploited by the REvil ransomware group in a devastating supply chain attack affecting approximately 1,500 organizations worldwide. The credential disclosure enabled attackers to gain authenticated access to Kaseya VSA servers, which were then used to deploy ransomware to managed service provider (MSP) clients.

Affected Products

Kaseya VSA Server (versions before 9.5.7)
Kaseya VSA Agent (versions before 9.5.7)

Discovery Timeline

2021-07-09 - CVE CVE-2021-30116 published to NVD
2025-11-10 - Last updated in NVD database

Technical Details for CVE-2021-30116

Vulnerability Analysis

This vulnerability represents a fundamental flaw in how Kaseya VSA handles credential storage and authentication for agent software. The security issues encompass multiple weaknesses working in concert:

Unauthenticated Download Page Credential Leakage: The default download page at /dl.asp exposes credentials without requiring prior authentication
Credential Reuse for Session Hijacking: Agent software credentials stored in KaseyaD.ini can be repurposed to obtain session cookies
Insecure Credential Transmission: The /dl.asp endpoint accepts credentials via GET requests, exposing them in URLs and server logs
Overly Permissive Authentication Scope: Credentials intended for agent software can authenticate for services not designed for agent access

The vulnerability falls under CWE-522 (Insufficiently Protected Credentials), highlighting the failure to adequately protect sensitive authentication data throughout its lifecycle.

Root Cause

The root cause stems from insufficiently protected credentials in the Kaseya VSA architecture. The KaseyaD.ini configuration file stores the Agent_Guid and AgentPassword in a manner accessible to local users on systems where the agent is installed. More critically, these agent-level credentials are accepted by the /dl.asp endpoint for authentication purposes beyond their intended scope, creating an authentication bypass pathway.

The design decision to accept credentials via GET requests compounds the issue by making credential interception trivial through URL logging, browser history, and network monitoring.

Attack Vector

The attack proceeds through a network-based exploitation path requiring no prior privileges or user interaction:

An attacker accesses the publicly available download page at https://[target]/dl.asp
They download and install a Kaseya VSA Windows agent client
Upon installation, the agent generates C:\Program Files (x86)\Kaseya\[ID]\KaseyaD.ini
The attacker extracts Agent_Guid and AgentPassword from this configuration file
Using these credentials, the attacker authenticates via https://[target]/dl.asp?un=[Agent_Guid]&pw=[AgentPassword]
The server returns a sessionId cookie that grants authenticated access to the Kaseya VSA system
This session can then be used for further exploitation, including deploying malicious payloads to all managed endpoints

The attack is particularly devastating in MSP environments where a single compromised Kaseya VSA server can provide access to hundreds or thousands of client systems.

Detection Methods for CVE-2021-30116

Indicators of Compromise

Unusual access patterns to /dl.asp endpoint with credential parameters in URL query strings
Presence of unauthorized or anomalous KaseyaD.ini files on systems
Unexpected session cookie generation from agent credential authentication
Network traffic containing GET requests with un= and pw= parameters to Kaseya servers

Detection Strategies

Monitor web server logs for requests to /dl.asp containing authentication parameters (un= and pw= query strings)
Implement file integrity monitoring on KaseyaD.ini files across managed endpoints
Deploy network-based detection rules for credential-bearing URLs targeting Kaseya infrastructure
Audit session creation events for anomalous authentication patterns from agent credentials

Monitoring Recommendations

Enable verbose logging on Kaseya VSA servers and forward logs to SIEM for correlation
Configure alerts for authentication attempts to /dl.asp from non-agent IP addresses
Monitor for bulk downloads from the agent download page
Track lateral movement patterns following any authentication to Kaseya infrastructure

How to Mitigate CVE-2021-30116

Immediate Actions Required

Upgrade Kaseya VSA Server and Agent to version 9.5.7 or later immediately
Review all Kaseya VSA server access logs for evidence of exploitation
Restrict network access to Kaseya VSA servers using firewall rules and VPN requirements
Rotate all agent credentials and invalidate existing sessions after patching

Patch Information

Kaseya has released version 9.5.7 which addresses this credential disclosure vulnerability along with other security issues exploited in the July 2021 attacks. Organizations should apply this patch immediately and follow the guidance provided in the Kaseya Important Notice.

For additional technical context, refer to the DIVD Kaseya Limited Disclosure and the CISA Known Exploited Vulnerability catalog entry.

Workarounds

If immediate patching is not possible, take Kaseya VSA servers offline until patches can be applied
Implement network segmentation to isolate Kaseya infrastructure from general network access
Block external access to the /dl.asp endpoint at the firewall or WAF level
Enable multi-factor authentication for all administrative access to Kaseya VSA

bash

# Example: Block external access to vulnerable endpoint (iptables)
iptables -A INPUT -p tcp --dport 443 -m string --string "/dl.asp" --algo bm -j DROP
# Note: Implement proper network segmentation and consult Kaseya documentation for complete hardening

CVE-2021-30116 Overview

Critical Impact
This vulnerability was exploited by the REvil ransomware group in a devastating supply chain attack affecting approximately 1,500 organizations worldwide. The credential disclosure enabled attackers to gain authenticated access to Kaseya VSA servers, which were then used to deploy ransomware to managed service provider (MSP) clients.

Affected Products

Kaseya VSA Server (versions before 9.5.7)
Kaseya VSA Agent (versions before 9.5.7)

Discovery Timeline

2021-07-09 - CVE CVE-2021-30116 published to NVD
2025-11-10 - Last updated in NVD database

Technical Details for CVE-2021-30116

Vulnerability Analysis

Unauthenticated Download Page Credential Leakage: The default download page at /dl.asp exposes credentials without requiring prior authentication
Credential Reuse for Session Hijacking: Agent software credentials stored in KaseyaD.ini can be repurposed to obtain session cookies
Insecure Credential Transmission: The /dl.asp endpoint accepts credentials via GET requests, exposing them in URLs and server logs
Overly Permissive Authentication Scope: Credentials intended for agent software can authenticate for services not designed for agent access

The vulnerability falls under CWE-522 (Insufficiently Protected Credentials), highlighting the failure to adequately protect sensitive authentication data throughout its lifecycle.

Root Cause

The design decision to accept credentials via GET requests compounds the issue by making credential interception trivial through URL logging, browser history, and network monitoring.

Attack Vector

The attack proceeds through a network-based exploitation path requiring no prior privileges or user interaction:

An attacker accesses the publicly available download page at https://[target]/dl.asp
They download and install a Kaseya VSA Windows agent client
Upon installation, the agent generates C:\Program Files (x86)\Kaseya\[ID]\KaseyaD.ini
The attacker extracts Agent_Guid and AgentPassword from this configuration file
Using these credentials, the attacker authenticates via https://[target]/dl.asp?un=[Agent_Guid]&pw=[AgentPassword]
The server returns a sessionId cookie that grants authenticated access to the Kaseya VSA system
This session can then be used for further exploitation, including deploying malicious payloads to all managed endpoints

The attack is particularly devastating in MSP environments where a single compromised Kaseya VSA server can provide access to hundreds or thousands of client systems.

Detection Methods for CVE-2021-30116

Indicators of Compromise

Unusual access patterns to /dl.asp endpoint with credential parameters in URL query strings
Presence of unauthorized or anomalous KaseyaD.ini files on systems
Unexpected session cookie generation from agent credential authentication
Network traffic containing GET requests with un= and pw= parameters to Kaseya servers

Detection Strategies

Monitor web server logs for requests to /dl.asp containing authentication parameters (un= and pw= query strings)
Implement file integrity monitoring on KaseyaD.ini files across managed endpoints
Deploy network-based detection rules for credential-bearing URLs targeting Kaseya infrastructure
Audit session creation events for anomalous authentication patterns from agent credentials

Monitoring Recommendations

Enable verbose logging on Kaseya VSA servers and forward logs to SIEM for correlation
Configure alerts for authentication attempts to /dl.asp from non-agent IP addresses
Monitor for bulk downloads from the agent download page
Track lateral movement patterns following any authentication to Kaseya infrastructure

How to Mitigate CVE-2021-30116

Immediate Actions Required

Upgrade Kaseya VSA Server and Agent to version 9.5.7 or later immediately
Review all Kaseya VSA server access logs for evidence of exploitation
Restrict network access to Kaseya VSA servers using firewall rules and VPN requirements
Rotate all agent credentials and invalidate existing sessions after patching

Patch Information

For additional technical context, refer to the DIVD Kaseya Limited Disclosure and the CISA Known Exploited Vulnerability catalog entry.

Workarounds

If immediate patching is not possible, take Kaseya VSA servers offline until patches can be applied
Implement network segmentation to isolate Kaseya infrastructure from general network access
Block external access to the /dl.asp endpoint at the firewall or WAF level
Enable multi-factor authentication for all administrative access to Kaseya VSA

bash

# Example: Block external access to vulnerable endpoint (iptables)
iptables -A INPUT -p tcp --dport 443 -m string --string "/dl.asp" --algo bm -j DROP
# Note: Implement proper network segmentation and consult Kaseya documentation for complete hardening

CVE-2021-30116: Kaseya VSA Agent Auth Bypass Vulnerability

CVE-2021-30116 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-30116

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-30116

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-30116

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2021-30116: Kaseya VSA Agent Auth Bypass Vulnerability

CVE-2021-30116 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-30116

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-30116

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-30116

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform