What is CVE-2021-30116?

CVE-2021-30116 is a critical severity vulnerability classified under CWE-522 (CWE-522). Insufficiently Protected Credentials in Kaseya VSA before 9

How do I fix CVE-2021-30116?

Apply the vendor patch immediately. Additionally, implement defenses against CWE-522 by following secure coding practices. Use Precogs AI to scan your codebase for similar vulnerabilities.

CVE-2021-30116

Insufficiently Protected Credentials in Kaseya VSA before 9

Verified by Precogs Threat Research

Last Updated: Nov 10, 2025

Base Score

10CRITICAL

Executive Summary

CVE-2021-30116 is a critical severity vulnerability affecting pii-secrets. It is classified as CWE-522. This vulnerability is actively being exploited in the wild.

Precogs AI Insight

"Kaseya VSA contains a critical credential leak vulnerability in its web interface. Attackers bypass authentication and execute ransomware (REvil) across the entire managed supply chain. Precogs PII & Secrets Scanner continuously monitors for exposed credentials and authentication bypass conditions."

Exploit Probability (EPSS)

High (54.1%)

Public POC

Available

Exploit Probability

High (84%)

Public POC

Actively Exploited

Affected Assets

pii secretsCWE-522

What is this vulnerability?

CVE-2021-30116 is categorized as a critical Insufficiently Protected Credentials flaw with a CVSS base score of 10. Based on our vulnerability intelligence, this issue occurs when the application fails to securely handle untrusted data boundaries.

Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\Program Files (x86)\Kaseya\XXXXXXXXXX\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system.

This architectural defect enables adversaries to bypass intended security controls, directly manipulating the application's execution state or data layer. Immediate strategic intervention is required.

Risk Assessment

Metric	Value
CVSS Base Score	10 (CRITICAL)
Vector String	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`
Published	July 9, 2021
Last Modified	November 10, 2025
Related CWEs	CWE-522, CWE-522

Impact on Systems

✅ Credential Theft: Exposed secrets enable unauthorized access to infrastructure, cloud services, and third-party integrations.

✅ Compliance Violation: Leaking PII or credentials may violate GDPR, HIPAA, PCI-DSS, and SOC 2 requirements.

✅ Supply Chain Risk: Compromised credentials in public repositories can propagate to downstream consumers.

How to Fix and Mitigate CVE-2021-30116

Apply Vendor Patches Immediately: This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog. Apply updates per vendor instructions.
Verify Patch Deployment: Confirm all instances are updated using Precogs continuous monitoring.
Review Audit Logs: Investigate historical access logs for indicators of compromise related to this attack surface.
Implement Defense-in-Depth: Deploy WAF rules, network segmentation, and endpoint detection to limit blast radius.

Defending with Precogs AI

Kaseya VSA contains a critical credential leak vulnerability in its web interface. Attackers bypass authentication and execute ransomware (REvil) across the entire managed supply chain. Precogs PII & Secrets Scanner continuously monitors for exposed credentials and authentication bypass conditions.

Use Precogs to continuously scan your codebase, binaries, APIs, and infrastructure for this vulnerability class and related attack patterns. Our AI-powered detection engine combines static analysis with threat intelligence to identify exploitable weaknesses before attackers do.

Start scanning with Precogs →

Vulnerability Code Signature

Attack Data Flow

Stage	Detail
Source	Source code repository or API response
Vector	Secrets embedded directly in the codebase or PII leaked in response
Sink	Version control system or HTTP response
Impact	Data breach, unauthorized access, compliance violation

Vulnerable Code Pattern

// ❌ VULNERABLE: Hardcoded credential & PII Leak
public class Config {
    // Taint sink: secret embedded in code
    public static final String API_KEY = "sk_live_1234567890abcdef";
}

// ... API Response leaks full user details including SSN ...

Secure Code Pattern

// ✅ SECURE: Environment variables & Data Masking
public class Config {
    // Sanitized configuration
    public static final String API_KEY = System.getenv("STRIPE_API_KEY");
}

// ... API Response masks SSN and restricts PII exposure ...

How Precogs Detects This

Precogs PII & Secrets Scanner continuously monitors codebases and API responses for hardcoded secrets and unintended PII exposure.\n

Related Vulnerabilitiesvia CWE-522

View all CWE-522 vulnerabilities →

Is your system affected?

Precogs AI detects CVE-2021-30116 in compiled binaries, LLMs, and application layers — even without source code access.

Request Deep Analysis Book a demo