CVE-2021-30201

Name of the Vulnerable Software and Affected Versions Kaseya VSA versions prior to 9.5.6

Description The issue concerns an XML External Entity (XXE) vulnerability. It allows an attacker to submit malicious XML to the system via the API endpoint "/vsaWS/KaseyaWS.asmx". When this XML is processed, external entities are insecurely resolved and fetched by the system, potentially returning sensitive information to the attacker. This can be exploited to read any file on the server that the web server process can access. Additionally, it can be used to perform HTTP(s) requests within the local network, allowing an attacker to use the Kaseya system to pivot into the local network.

Recommendations For versions prior to 9.5.6, update to version 9.5.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/vsaWS/KaseyaWS.asmx" API endpoint until a patch is applied. Avoid using the XmlRequest parameter in the affected API endpoint until the issue is resolved.