{"uuid": "f4792667-bb71-4a66-bd8a-10ae86a380d6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-30116", "type": "exploited", "source": "https://t.me/arpsyndicate/1318", "content": "#ExploitObserverAlert\n\nCVE-2021-30116\n\nDESCRIPTION: Exploit Observer has 8 entries related to CVE-2021-30116. Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\\Program Files (x86)\\Kaseya\\XXXXXXXXXX\\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813", "creation_timestamp": "2023-12-04T22:12:22.000000Z"}