What is Kaseya VSA?
Kaseya Virtual System/Server Administrator (VSA) is an IT management platform used primarily by Managed Service Providers (MSPs) to remotely monitor, manage, and patch client endpoints. VSA agents run on client machines and communicate back to the central VSA server, which MSPs use to deploy software, push policies, and execute scripts across all managed devices simultaneously. This architecture makes VSA a "single pane of glass" attacker target: compromising the VSA server grants access to push commands to every endpoint managed by the MSP — potentially thousands of client machines across dozens of customer organizations.
Overview
CVE-2021-30116 is an information disclosure vulnerability (CWE-522) in Kaseya VSA that allows unauthenticated attackers to extract session IDs from the VSA web interface. The disclosed session IDs can then be used to bypass authentication and gain administrative access to the VSA server without valid credentials. This vulnerability was one of several used by REvil ransomware group in the July 4, 2021 weekend attack — the largest single ransomware event in history at the time. REvil compromised approximately 60 Kaseya MSP customers and, through those MSPs, encrypted systems at roughly 1,500 downstream business organizations. REvil initially demanded $70 million for a universal decryptor. The attack was a zero-day: DIVD researchers had discovered the vulnerabilities and were coordinating disclosure with Kaseya when REvil attacked before the patch was ready.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Kaseya VSA On-Premises before 9.5.7a | Yes | 9.5.7a |
| Kaseya VSA SaaS | Patched by Kaseya directly | N/A |
Technical Details
The Kaseya VSA web interface includes authentication and session management code that improperly exposes session identifiers:
- Root cause: Insufficiently protected credentials (CWE-522) — the VSA web application discloses session ID tokens in responses accessible to unauthenticated users
- Authentication bypass: The extracted session IDs can be replayed to authenticate as a VSA administrator without knowing the administrator's password
- Attack chain: REvil combined CVE-2021-30116 with additional VSA vulnerabilities (authentication bypass and SQL injection flaws discovered by DIVD) to gain full administrative access, then used VSA's legitimate software deployment capability to push the Sodinokibi/REvil ransomware to all managed endpoints
- Scope: Changed — the attack crosses security boundaries: VSA access enables command execution on all VSA agent-managed endpoints, which are in separate customer networks
- CVSS 10.0 reflects the maximum possible impact given the supply-chain nature: one server compromised, thousands of downstream machines affected
Discovery
Discovered by Wietse Boonstra and researchers at the Dutch Institute for Vulnerability Disclosure (DIVD). DIVD notified Kaseya and was coordinating responsible disclosure when REvil exploited the vulnerabilities as a zero-day attack on July 2, 2021 — before the patch was complete.
Exploitation Context
The July 4, 2021 REvil attack is one of the most significant ransomware events in history. REvil targeted the July 4 US holiday weekend deliberately to maximize impact while IT staff were unavailable. By attacking MSPs rather than individual companies, REvil multiplied their reach: each compromised MSP gave access to dozens of client organizations. The $70 million ransom demand was the largest ever at the time. The attack prompted CISA and the FBI to issue emergency guidance. Kaseya ultimately obtained a universal decryptor key through an undisclosed third party (later reported to be the FBI, which obtained the key from a server it had accessed) and distributed it without paying the ransom.
Remediation
- Upgrade Kaseya VSA to version 9.5.7a or later immediately
- If immediate patching is not possible, shut down the VSA server and take it offline — Kaseya's emergency recommendation was to power off all on-premises VSA servers
- Review VSA audit logs for unauthorized administrative sessions, policy changes, and software deployment events
- Audit all managed endpoints for ransomware artifacts or unauthorized software deployment using the VSA deployment feature
- After patching, rotate all VSA administrative credentials
- Implement IP allowlisting for VSA web interface access — restrict to known administrator IP ranges
- Consider network segmentation to limit what VSA agent-managed machines can access within client networks, reducing lateral movement potential if VSA is compromised
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-30116 |
| Vendor / Product | Kaseya — Virtual System/Server Administrator (VSA) |
| NVD Published | 2021-07-09 |
| NVD Last Modified | 2025-11-10 |
| CVSS 3.1 Score | 10 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-522 find similar ↗ |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2021-11-17 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-07-02 | Dutch Institute for Vulnerability Disclosure (DIVD) discovers vulnerabilities in VSA; coordinates with Kaseya on disclosure — patch not yet released |
| 2021-07-02 | REvil ransomware group begins attacking Kaseya VSA servers before patch release (zero-day attack) |
| 2021-07-04 | Kaseya shuts down SaaS servers; warns on-premises customers to shut down VSA; CISA and FBI issue advisory |
| 2021-07-09 | CVE published; Kaseya releases VSA 9.5.7a patch |
| 2021-07-21 | REvil infrastructure goes offline; ransom negotiations stall |
| 2021-07-22 | Kaseya obtains universal decryptor (source: liaison with law enforcement) |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2021-11-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Kaseya VSA Security Advisory — July 2021 | Vendor Advisory |
| CISA/FBI Guidance for MSPs and Customers Affected by Kaseya Attack | US Government |
| Huntress Labs — Kaseya VSA Mass MSP Compromise | Security Research |
| NVD — CVE-2021-30116 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |