CVE-2021-21994

9.8 CRITICAL

Authentication Bypass

📋 TL;DR

CVE-2021-21994 is an authentication bypass vulnerability in SFCB (Small Footprint CIM Broker) used in VMware ESXi. An attacker with network access to port 5989 can send specially crafted requests to bypass authentication controls. This affects VMware ESXi systems with SFCB enabled.

💻 Affected Systems

Products:

• VMware ESXi

Versions: ESXi 6.5, 6.7, and 7.0 prior to specific patch versions

Operating Systems: VMware ESXi

Default Config Vulnerable: ⚠️ Yes

Notes: SFCB service runs on port 5989 by default. Systems with this port accessible are vulnerable.

📦 What is this software?

Cloud Foundation by Vmware

View all CVEs affecting Cloud Foundation →

Cloud Foundation by Vmware

View all CVEs affecting Cloud Foundation →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of ESXi host allowing unauthorized access to management functions, potential lateral movement to other systems, and complete control of virtual infrastructure.

🟠

Likely Case

Unauthorized access to ESXi management functions, potential privilege escalation, and compromise of virtual machines hosted on the system.

🟢

If Mitigated

Limited impact due to network segmentation, proper access controls, and monitoring that detects anomalous authentication attempts.

🌐 Internet-Facing: HIGH - ESXi management interfaces exposed to internet are directly exploitable without authentication.

🏢 Internal Only: HIGH - Internal attackers or compromised systems can exploit this to gain unauthorized access to ESXi hosts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to port 5989 but no authentication. Public exploit code exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ESXi70U1c-17325551, ESXi670-202102401-SG, ESXi650-202102101-SG

Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0014.html

Restart Required: Yes

Instructions:

1. Download appropriate patch from VMware portal. 2. Place host in maintenance mode. 3. Apply patch via vSphere Update Manager or CLI. 4. Reboot host. 5. Verify patch installation.

🔧 Temporary Workarounds

Block port 5989

linux

Restrict network access to SFCB service port 5989 using firewall rules

Copy

esxcli network firewall ruleset set -r CIMHttpServer -e false
esxcli network firewall ruleset set -r CIMHttpsServer -e false

Disable SFCB service

linux

Stop and disable the SFCB service if not required

Copy

/etc/init.d/sfcbd-watchdog stop
chkconfig sfcbd-watchdog off

🧯 If You Can't Patch

• Implement strict network segmentation to isolate ESXi management interfaces
• Enable comprehensive logging and monitoring for authentication attempts on port 5989

🔍 How to Verify

Check if Vulnerable:

Copy

Check if ESXi version is affected: esxcli system version get. Verify if port 5989 is listening: esxcli network ip connection list | grep 5989

Check Version:

Copy

esxcli system version get

Verify Fix Applied:

Copy

Verify patch installation: esxcli software vib list | grep -i sfcb. Confirm port 5989 is not accessible or service is disabled.

📡 Detection & Monitoring

Log Indicators:

• Failed authentication attempts on port 5989
• Unusual SFCB service activity
• Authentication bypass logs in /var/log/sfcb.log

Network Indicators:

• Unusual traffic patterns to port 5989
• Authentication requests without proper credentials
• CIM-XML requests with crafted headers

SIEM Query:

Copy

source="esxi" AND (port=5989 OR service="sfcbd") AND (event_type="authentication" OR status="failure")

📊 Metadata

CVE ID: CVE-2021-21994

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: July 13, 2021

Last Updated: October 31, 2025

🔗 References

• https://www.vmware.com/security/advisories/VMSA-2021-0014.html Vendor Advisory
• https://www.vmware.com/security/advisories/VMSA-2021-0014.html Vendor Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21994, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)

CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)

CVE-2026-20127 10.0

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager al...

Same vulnerability type (CWE-287)