CVE-2021-30116 — Kaseya Virtual System/Server Administrator (VSA)

known ransomware use

Kaseya Virtual System/Server Administrator (VSA) Information Disclosure Vulnerability

Added to KEV

2021-11-03

Federal due date

2021-11-17

Vendor

Kaseya

Product

Virtual System/Server Administrator (VSA)

EPSS

98.1th percentile (score 0.541, as of 2026-06-08)

NVD CVSS v3.1

—

Ransomware use

Known

Upstream

https://nvd.nist.gov/vuln/detail/CVE-2021-30116

CISA short description

Kaseya Virtual System/Server Administrator (VSA) contains an information disclosure vulnerability allowing an attacker to obtain the sessionId that can be used to execute further attacks against the system.

Required action

Apply updates per vendor instructions.

EPSS percentile is the FIRST.org exploit-probability ranking as of the date noted above; it moves daily. CVSS reflects NVD's analysis at time of publication.