Table of Contents
  • Home
  • /
  • Blog
  • /
  • Kaseya Rolled Out A Patch For VSA Supply-Chain Attack
July 12, 2021

Kaseya Rolled Out A Patch For VSA Supply-Chain Attack

Kaseya Rolled Out Patches For Vsa Supply Chain Attack

In the previous week, we published an article in which we have reported about Kaseya’s supply chain attack, which was discovered early this month. Now, almost ten days later, on 11th July, Kaseys has released a patch for VSA supply-chain attack. The Florida-based software company has fixed three new security vulnerabilities in the released patch to address critical security issues in its Virtual System Administrator (VSA) solution. With this update, the company has fixed a total of seven vulnerabilities, including the three new vulnerabilities. Lets see the changes Kaseya has made in the VSA release 9.5.7a.

Three new vulnerabilities fixed in the 11th July updates:

  • CVE-2021-30116: Credentials leak and business logic flaw (Fixed in VSA 9.5.7a)

  • CVE-2021-30119: Cross-site scripting vulnerability (Fixed in VSA 9.5.7a)

  • CVE-2021-30120: Two-factor authentication bypass (Fixed in VSA 9.5.7a)

Remaining four vulnerabilities reported by DIVD in April 2021:

  • CVE-2021-30117: SQL injection vulnerability (Fixed in VSA 9.5.6)

  • CVE-2021-30118: Remote code execution vulnerability (Fixed in VSA 9.5.5)

  • CVE-2021-30121: Local file inclusion vulnerability (Fixed in VSA 9.5.6)

  • CVE-2021-30201: XML external entity vulnerability (Fixed in VSA 9.5.6)

New Password Policy Rolled Out In The Release:

In the recently released patch VSA version 9.5.7a (, Kaseya has made password rest mandatory. Those who install the new patch should change their passwords post login to meet new password requirements.All users will be re-directed to the System > User Settings > Change Logon page, after installing the patch. There they need to change their password.
The update shipped with these changes in the password policy:

  • Password cant be older than 30 days.

  • The minimum password length cannot be less than 16 characters.

  • Password reuse cannot be less than five passwords.

  • The System now enforces all the rules.

Agent Procedures Approvals:

The VSA release 9.5.7a release has made all the changes on the agent procedures that must be approved by a master administrator. It is not possible to disable Agent Procedure signing and approval anymore.

Disabled A Few REST API:

In the new release, some API calls have been disabled temporarily to enhance security. All the disabled API calls will be restored in a later release.

Changes In Agent Package Download:

After the release of 9.5.7a, It is impossible to download an agent installation package without authentication to VSA anymore. The ability to deploy agents to external users will be restored in a future release.

Readiness And Best Practice Guide Available For Both On-Premise And SaaS VSA:

The company has published the readiness guide and best practice guide for the customers to read before they proceed with patching the VSA Supply-Chain Attack.

On-Premise VSA:


Thanks for reading the post. Please share this information and help securing the digital world.

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription