In this paper we study an RSA variant with moduli of the form N = prql (r > l ≥ 2). This variant was mentioned by Boneh, Durfee and Howgrave-Graham . Later Lim, Kim, Yie and Lee  showed that this variant is much faster than the standard RSA moduli in the step of decryption procedure. There are two proposals of RSA variants when N = prql. In the first proposal, the encryption exponent e and the decryption exponent d satisfy ed = 1 mod pr-1ql-1(p-1)(q-1),whereas in the second proposal ed = 1 mod (p-1)(q-1). We prove that for the first case if d < N1-(3r+l)(r+l)-2, one can factor N in polynomial time. We also show that polynomial time factorization is possible if d < N(7-2¶7)/(3(r+l)) for the second case. Finally, we study the case when few bits of one prime are known to the attacker for this variant of RSA. We show that given min( l r+l , 2(r-l) r+l ) log2 p least significant bits of one prime, one can factor N in polynomial time. © 2017 Walter de Gruyter GmbH, Berlin/Boston.