CVE-2021-21972
📋 TL;DR
CVE-2021-21972 is a critical remote code execution vulnerability in VMware vSphere Client's HTML5 interface. It allows unauthenticated attackers with network access to port 443 to upload arbitrary files and execute commands with root privileges on the underlying vCenter Server operating system. This affects VMware vCenter Server versions 6.5, 6.7, and 7.0, as well as VMware Cloud Foundation.
💻 Affected Systems
- VMware vCenter Server
- VMware Cloud Foundation
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of vCenter Server environment leading to lateral movement across virtual infrastructure, data exfiltration, ransomware deployment, and persistent backdoor installation.
Likely Case
Attackers gain full administrative control over vCenter Server, allowing them to manipulate virtual machines, steal credentials, and pivot to other systems in the environment.
If Mitigated
Limited impact due to network segmentation and strict access controls preventing external access to vCenter management interfaces.
🎯 Exploit Status
Multiple public exploit scripts available. Exploitation requires only network access to port 443/TCP on vCenter Server.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: vCenter Server 7.0 U1c, 6.7 U3l, 6.5 U3n; Cloud Foundation 4.2, 3.10.1.2
Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0002.html
Restart Required: Yes
Instructions:
1. Download appropriate patch from VMware portal. 2. Backup vCenter Server. 3. Apply patch using VAMI interface or CLI. 4. Restart vCenter services. 5. Verify patch installation.
🔧 Temporary Workarounds
Disable vSAN Health Check Plugin
linuxRemove the vulnerable vSAN Health Check plugin to prevent exploitation
service-control --stop vsphere-ui
service-control --stop vsphere-client
chmod 000 /usr/lib/vmware-vsphere-ui/plugin-packages/vsphere-plugin-serenity/
service-control --start vsphere-ui
service-control --start vsphere-client
🧯 If You Can't Patch
- Immediately restrict network access to vCenter Server port 443/TCP using firewall rules
- Implement network segmentation to isolate vCenter Server from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check vCenter Server version against affected versions. If running vulnerable version and vSAN Health Check plugin is present, system is vulnerable.Check Version:
cat /etc/vmware-vpx/versionVerify Fix Applied:
Verify vCenter Server version is patched (7.0 U1c, 6.7 U3l, or 6.5 U3n) and vSAN Health Check plugin has been updated or removed.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /usr/lib/vmware-vsphere-ui/
- Suspicious process execution from vSphere UI context
- Unauthenticated access to vSphere Client endpoints
Network Indicators:
- Unusual HTTP POST requests to /ui/vropspluginui/rest/services/uploadova
- File upload attempts to vCenter Server port 443
SIEM Query:
source="vcenter" AND (uri_path="/ui/vropspluginui/rest/services/uploadova" OR process="cmd.exe" OR process="/bin/bash")🔗 References
- http://packetstormsecurity.com/files/161590/VMware-vCenter-Server-7.0-Arbitrary-File-Upload.html
- http://packetstormsecurity.com/files/161695/VMware-vCenter-Server-File-Upload-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/163268/VMware-vCenter-6.5-6.7-7.0-Remote-Code-Execution.html
- https://www.vmware.com/security/advisories/VMSA-2021-0002.html
- http://packetstormsecurity.com/files/161590/VMware-vCenter-Server-7.0-Arbitrary-File-Upload.html
- http://packetstormsecurity.com/files/161695/VMware-vCenter-Server-File-Upload-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/163268/VMware-vCenter-6.5-6.7-7.0-Remote-Code-Execution.html
- https://www.vmware.com/security/advisories/VMSA-2021-0002.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21972
