CVE-2021-30120
published 2021-07-09CVE-2021-30120: Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication in enforce client-side instead of server-side…
PriorityP184high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
5.70%
92.1th percentile
Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Thus rendering 2FA useless. Detailed description --- During the login process, after the user authenticates with username and password, the server sends a response to the client with the booleans MFARequired and MFAEnroled. If the attacker has obtained a password of a user and used an intercepting proxy (e.g. Burp Suite) to change the value of MFARequered from True to False, there is no prompt for the second factor, but the user is still logged in.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kaseya | vsa | <= 9.5.6 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →During login, intercept the server response after valid credential submission and look for the boolean fields 'MFARequired' and 'MFAEnroled'; a manipulation of 'MFARequired' from True to False indicates exploitation of CVE-2021-30120. ↗
- →CVE-2021-30120 was exploited by REvil ransomware group in July 2021 as part of a supply-chain attack on Kaseya VSA managed service providers, alongside CVE-2021-30116 and CVE-2021-30119. ↗
- ·The 2FA bypass is enforced client-side rather than server-side in Kaseya VSA before 9.5.7; the MFARequired boolean in the login response controls whether the second factor is prompted, making it trivially bypassable via proxy manipulation. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vulncheck9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r6j9-rwx4-qcj3: Kaseya VSA through 9
ghsa_unreviewed·2022-05-24
CVE-2021-30120 [HIGH] CWE-863 GHSA-r6j9-rwx4-qcj3: Kaseya VSA through 9
Kaseya VSA through 9.5.7 allows attackers to bypass the 2FA requirement.
VulnCheck
Kaseya vsa Incorrect Resource Transfer Between Spheres
vulncheck·2021·CVSS 9.9
CVE-2021-30120 [CRITICAL] Kaseya vsa Incorrect Resource Transfer Between Spheres
Kaseya vsa Incorrect Resource Transfer Between Spheres
Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Thus rendering 2FA useless. Detailed description --- During the login process, after the user authenticates with username and password, the server sends a response to the client with the booleans MFARequired and MFAEnroled. If the attacker has obtained a password of a user and used an intercepting proxy (e.g. Burp Suite) to change the value of MFARequered from True to False, there is no prompt for the second factor, but the user is still logged in.
Affected: Kaseya vsa
Required Action: Apply remediations or mitigations per vendor instruct
No detection rules found.
No public exploits indexed.
Trendmicro
Leveraging Data Science to Minimize the Blast Radius of Ransomware Attacks
blogs_trendmicro·2023-03-02
Leveraging Data Science to Minimize the Blast Radius of Ransomware Attacks
Ransomware
# Leveraging Data Science to Minimize the Blast Radius of Ransomware Attacks
In this blog entry, we present a case study that illustrates how data-science techniques can be used to gain valuable insights about ransomware groups' targeting patterns as detailed in our research paper, “What Decision-Makers Need to Know About Ransomware Risk.”
By: Vladimir Kropotov, Robert McArdle, Fyodor Yarochkin, Shingo Matsugaya
2023/03/02
Read time: ( words)
Save to Folio
In partnership with: Erin Burns, Eireann Leverett of Waratah Analytics
As ransomware groups continue to build on their arsenal of tactics, techniques, and procedures (TTPs), it's essential for cybersecurity professionals to assess the levels of risk to their organizations using multiple sources of information for a comp
Tenable
Behind the Scenes: How We Picked 2021’s Top Vulnerabilities – and What We Left Out
blogs_tenable·2022-03-11
Behind the Scenes: How We Picked 2021’s Top Vulnerabilities – and What We Left Out
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2021-30116: Multiple Zero-Day Vulnerabilities in Kaseya VSA Exploited to Distribute REvil Ransomware
blogs_tenable·2021-07-06·CVSS 10.0
[CRITICAL] CVE-2021-30116: Multiple Zero-Day Vulnerabilities in Kaseya VSA Exploited to Distribute REvil Ransomware
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
HackerOne
2FA Bypass via Response Manipulation on Login Page
hackerone·2026-01-12·CVSS 9.9
[CRITICAL] 2FA Bypass via Response Manipulation on Login Page
2FA Bypass via Response Manipulation on Login Page
**Description:**
I discovered a vulnerability in the Two-Factor Authentication (2FA) mechanism of your website, stemming from an insecure design flaw. The issue arises from the way the system handles 2FA verification. Specifically, the verification process can be bypassed by intercepting and manipulating the server's response. As a result, an attacker can gain unauthorized access to an account after providing the correct login credentials, without the need to submit the correct 2FA code. This flaw highlights a weakness in the design of the 2FA flow, where the server fails to enforce proper security checks after the initial login phase.
## References
https://hackerone.com/reports/1943252
## Impact
This vulnerability allows an attacker w
2021-07-09
Published
Exploited in the wild