Skip to content

Add CVE-2021-30116 (KEV and vKEV)#13558

Merged
pussycat0x merged 1 commit intoprojectdiscovery:mainfrom
daffainfo:patch-8
Oct 20, 2025
Merged

Add CVE-2021-30116 (KEV and vKEV)#13558
pussycat0x merged 1 commit intoprojectdiscovery:mainfrom
daffainfo:patch-8

Conversation

@daffainfo
Copy link
Copy Markdown
Contributor

@daffainfo daffainfo commented Oct 11, 2025

Template / PR Information

Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\Program Files (x86)\Kaseya\XXXXXXXXXX\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system.

Template Validation

I've validated this template locally?

  • YES
  • NO

Debug


                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.10

                projectdiscovery.io

[INF] Current nuclei version: v3.4.10 (latest)
[INF] Current nuclei-templates version: v10.3.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 124
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [CVE-2021-30116] Dumped HTTP request for https://REDACTED/dl.asp

GET /dl.asp HTTP/1.1
Host: REDACTED
User-Agent: Mozilla/5.0 (Fedora; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[DBG] [CVE-2021-30116] Dumped HTTP response https://REDACTED/dl.asp

HTTP/1.1 200 OK
Connection: close
Content-Length: 6931
Cache-Control: private
Content-Type: text/html; Charset=Utf-8
Date: Sat, 11 Oct 2025 04:18:38 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET


<html>
<head>
<title>Download Agent</title>
<link rel="shortcut icon" href="/themes/default/images/favicon.ico?0.840870477993253">
<meta name="robots" content="noindex,nofollow" />
<meta name="viewport" content="width=device-width,minimum-scale=1.0,maximum-scale=1.0"/>
[SNIPPET]

</head>
<script language='javascript'>
removeFile = true;
unType = "0";
function removeDownload() {
    // launch a new window to run an ASP page in that will delete the download
    // package with this page is unloaded. Make it invisible by positioning it off screen
    if (removeFile == true) {
        delDownloadWin = window.open("/remdl.asp?un="+unType,"delDownloadWin",
            "dependent,toolbar=no,resizable=no,width=2,height=2,top=3000,left=3000");
    }
}
function setupDownload(dlLink) {
    if (dlLink.indexOf("?id=") > 0) {
        unType = "VSA-default-"+dlLink.substr(dlLink.indexOf("?id=")+"?id=".length);
    }
    dlWin = window.open(dlLink,"dlWin","dependent,width=2,height=2,top=3000,left=3000");
}
</script>
<body topmargin=0 leftmargin=3 bgcolor="#FFFFFF" onUnload="removeDownload()">
<p><img src='/ManagedFiles/SiteCustomization/2008logo.gif'></p><p>Install the <b></b> Agent on your machine.<br>The Agent allows your system administrator to remotely and transparently manage your PC.</p><ol><li>Click  to begin installation of the Agent</li><li>Click <b>Open</b> to run this program from its current location</li></ol> <table style='margin:10px 0px 30px 30px;'><tr><td style='padding-right:20px;'><a href='javascript:setupDownload("/mkDefault.asp?id=-1")'>Default Install</a></td><td>Creates a agent in the public &#34;unnamed&#34; group ID.</td></tr><tr><td style='padding-right:20px;'><a href='javascript:setupDownload("/mkDefault.asp?id=11225348")'>Mac Install</a></td><td>For Mac</td></tr> </table>
</body>
</html>
[INF] [CVE-2021-30116] Dumped HTTP request for https://REDACTED/mkDefault.asp?id=-1

GET /mkDefault.asp?id=-1 HTTP/1.1
Host: REDACTED
User-Agent: Mozilla/5.0 (Knoppix; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Cookie: ASPSESSIONIDQCCTRRST=INPJEKOAPCICGHJAOPHPADDJ
Accept-Encoding: gzip

[DBG] [CVE-2021-30116] Dumped HTTP response https://REDACTED/mkDefault.asp?id=-1

HTTP/1.1 302 Object moved
Connection: close
Content-Length: 157
Cache-Control: private
Content-Type: text/html; Charset=Utf-8
Date: Sat, 11 Oct 2025 04:18:39 GMT
Location: /install/VSA-default--1/KcsSetup.exe
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="/install/VSA-default--1/KcsSetup.exe">here</a>.</body>
[CVE-2021-30116:regex-1] [http] [critical] https://REDACTED/mkDefault.asp?id=-1
[CVE-2021-30116:status-2] [http] [critical] https://REDACTED/mkDefault.asp?id=-1
[INF] [CVE-2021-30116] Dumped HTTP request for https://REDACTED/mkDefault.asp?id=11225348

GET /mkDefault.asp?id=11225348 HTTP/1.1
Host: REDACTED
User-Agent: Mozilla/5.0 (CentOS; Linux i686; rv:130.0) Gecko/20100101 Firefox/130.0
Connection: close
Accept: */*
Accept-Language: en
Cookie: ASPSESSIONIDQCCTRRST=INPJEKOAPCICGHJAOPHPADDJ
Accept-Encoding: gzip

[DBG] [CVE-2021-30116] Dumped HTTP response https://REDACTED/mkDefault.asp?id=11225348

HTTP/1.1 302 Object moved
Connection: close
Content-Length: 163
Cache-Control: private
Content-Type: text/html; Charset=Utf-8
Date: Sat, 11 Oct 2025 04:18:41 GMT
Location: /install/VSA-default-11225348/KcsSetup.zip
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="/install/VSA-default-11225348/KcsSetup.zip">here</a>.</body>
[INF] Scan completed in 4.864080833s. 2 matches found.

@github-actions github-actions bot requested a review from pussycat0x October 11, 2025 04:22
@Akokonunes Akokonunes added the Done Ready to merge label Oct 11, 2025
@Akokonunes
Copy link
Copy Markdown
Contributor

Akokonunes commented Oct 11, 2025

Hi @daffainfo, Thank you for contributing templates to the project.

@pussycat0x pussycat0x merged commit 974169b into projectdiscovery:main Oct 20, 2025
4 checks passed
@algora-pbc
Copy link
Copy Markdown

algora-pbc bot commented Oct 21, 2025

🎉🎈 @daffainfo has been awarded $200 by ProjectDiscovery! 🎈🎊

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pussycat0x pussycat0x pussycat0x approved these changes

Assignees

@Akokonunes Akokonunes

Labels

Done Ready to merge Hacktoberfest 💰 Rewarded

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@daffainfo @Akokonunes @pussycat0x