CriticalCISA KEVExploited in the wildPublic exploit

Kaseya VSA dl.asp Credential Disclosure and Authentication Bypass

IdentifiersCVE-2021-30116CWE-200

CVE-2021-30116 affects Kaseya VSA before 9.5.7. The on-premises product exposes a default client download page at /dl.asp. An attacker can download and install a Windows agent client, which generates a KaseyaD.ini file containing an Agent_Guid and AgentPassword. Those credentials can then be supplied to /dl.asp, including via a GET request, to authenticate as an agent and obtain a sessionId cookie. The issue is therefore a credential disclosure flaw combined with improper separation of agent-facing and broader application authentication contexts, enabling authentication bypass for functionality not intended to be accessible to agents. The vulnerability was reported as exploited in the wild during the July 2021 Kaseya VSA compromise.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to obtain valid agent credentials and exchange them for a sessionId cookie that can be reused in subsequent semi-authenticated attacks against the VSA server. This bypasses normal authentication requirements for certain services and can provide a foothold for further compromise of the Kaseya installation and potentially managed client environments. The provided context also states the vulnerability was leveraged in the 2021 Kaseya VSA compromise associated with REvil activity.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, restrict or disable external access to the /dl.asp download page, especially from untrusted networks; limit exposure of the VSA server to only required administrative and agent communication paths; monitor for suspicious requests to /dl.asp, particularly those supplying unrecognized agent credentials or using GET parameters for authentication; and review systems for unauthorized access to KaseyaD.ini files and anomalous session creation. These are mitigations only; patching is required for full remediation.

Remediation

Patch, then assume compromise.

Upgrade Kaseya VSA to version 9.5.7 or later. Because the issue involves exposure of agent credentials and session material, organizations should also rotate any affected credentials, review and invalidate active sessions where possible, and assess whether agent packages or KaseyaD.ini files were exposed or downloaded by unauthorized parties.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

KaseyaVsa Agentapplication

KaseyaVsa Serverapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

arctic wolf blogNews

Jan 24, 2025

Campaign Exploiting SimpleHelp RMM Software for Initial Access | Arctic Wolf

A Kaseya VSA vulnerability referenced as previously targeted by REvil affiliates to gain initial access.

ca ccsNews

Nov 28, 2022

The cyber threat from supply chains - Canadian Centre for Cyber Security

A zero-day vulnerability in Kaseya VSA used in the 2021 supply-chain compromise to bypass authentication and gain access to VSA servers, enabling downstream ransomware deployment.

the hacker newsNews

Jan 5, 2026

Search results for Security | Breaking Cybersecurity News | The Hacker News

A zero-day vulnerability in Kaseya VSA software that allowed attackers to bypass authentication and execute arbitrary commands, leading to ransomware deployment.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence1

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2021-30116

NVD

nvd.nist.gov/vuln/detail/CVE-2021-30116

MITRE CWE · CWE-200

cwe.mitre.org

Vendor Advisory

helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021

Third Party Advisory

csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2

Third Party Advisory

csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure

Third Party Advisory

secpod.com/blog/kaseya-vsa-zero-day-by-revil

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-30116