cbcvebase.
CVE-2021-30120
published 2021-07-09

CVE-2021-30120: Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication in enforce client-side instead of server-side…

PriorityP184high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
5.70%
92.1th percentile
Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Thus rendering 2FA useless. Detailed description --- During the login process, after the user authenticates with username and password, the server sends a response to the client with the booleans MFARequired and MFAEnroled. If the attacker has obtained a password of a user and used an intercepting proxy (e.g. Burp Suite) to change the value of MFARequered from True to False, there is no prompt for the second factor, but the user is still logged in.

Affected

1 ranges
VendorProductVersion rangeFixed in
kaseyavsa<= 9.5.6

Detection & IOCsextracted from sources · hover to see the quote

  • During login, intercept the server response after valid credential submission and look for the boolean fields 'MFARequired' and 'MFAEnroled'; a manipulation of 'MFARequired' from True to False indicates exploitation of CVE-2021-30120.
  • CVE-2021-30120 was exploited by REvil ransomware group in July 2021 as part of a supply-chain attack on Kaseya VSA managed service providers, alongside CVE-2021-30116 and CVE-2021-30119.
  • ·The 2FA bypass is enforced client-side rather than server-side in Kaseya VSA before 9.5.7; the MFARequired boolean in the login response controls whether the second factor is prompted, making it trivially bypassable via proxy manipulation.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vulncheck9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.