Kaseya Virtual System/Server Administrator (VSA) Information Disclosure Vulnerability

Kaseya Virtual System/Server Administrator (VSA) contains an information disclosure vulnerability allowing an attacker to obtain the sessionId that can be used to execute further attacks against the system.

Published Jul 9, 2021 · Updated May 16, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

A remote attacker, without authentication, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. CISA has confirmed use of this vulnerability in known ransomware campaigns — treat as high priority for remediation. Federal agencies are required to remediate by 2021-11-17 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Insufficiently Protected Credentials (CWE-522) vulnerability in Kaseya Virtual System/Server Administrator (VSA). Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\Program Files (x86)\Kaseya\XXXXXXXXXX\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system. Exploitation requires remote network access, low attack complexity, no authentication required, and no user interaction required.

📧

Phishing link

→

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

●IT Security

●Running vsa agent: v < 9.5.0.24; vsa server: v < 9.5.7a

Real-world incidentsWhat we've seen

Used in known ransomware campaigns. Threat-research write-up: https://www.secpod.com/blog/kaseya-vsa-zero-day-by-revil/

How to patch

Manual remediation steps

Apply the Vendor Patch

This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.

CISA required action: Apply updates per vendor instructions.

References

Vendor advisory: https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021

NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2021-30116

CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-30116

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2021-30116 ↗ NVD ↗ Vendor Advisory