CVE-2021-22005 – CVE-2021-22005 is a critical arbitrary file upl... (How to Fix)

Q: What is the severity of CVE-2021-22005?

CVE-2021-22005 has a CVSS score of 9.8 (CRITICAL). CVE-2021-22005 is a critical arbitrary file upload vulnerability in VMware vCenter Server's Analytics service. Attackers with network access to port 443 can upload malicious files to execute arbitrary code on the vCenter Server. This affects organizations running vulnerable versions of vCenter Server.

📋 TL;DR

CVE-2021-22005 is a critical arbitrary file upload vulnerability in VMware vCenter Server's Analytics service. Attackers with network access to port 443 can upload malicious files to execute arbitrary code on the vCenter Server. This affects organizations running vulnerable versions of vCenter Server.

💻 Affected Systems

Products:

VMware vCenter Server

Versions: vCenter Server 6.5, 6.7, and 7.0 before specific patch versions

Operating Systems: Linux, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both Linux and Windows versions of vCenter Server. The Analytics service is enabled by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of vCenter Server leading to full control of virtual infrastructure, data exfiltration, ransomware deployment, and lateral movement to connected systems.

🟠

Likely Case

Remote code execution on vCenter Server allowing attackers to steal credentials, manipulate virtual machines, and establish persistence in the environment.

🟢

If Mitigated

Limited impact if proper network segmentation, access controls, and monitoring are in place to detect and block exploitation attempts.

🌐 Internet-Facing: HIGH - vCenter Server exposed to internet is immediately vulnerable to widespread exploitation attempts.

🏢 Internal Only: HIGH - Even internally accessible vCenter Server is vulnerable to compromised internal hosts or malicious insiders.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit scripts available. Actively exploited in the wild. No authentication required for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: vCenter Server 7.0 U2c, 6.7 U3o, 6.5 U3q

Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0020.html

Restart Required: Yes

Instructions:

1. Download appropriate patch from VMware portal. 2. Backup vCenter Server. 3. Apply patch using vCenter Server Update Planner. 4. Restart vCenter Server services.

🔧 Temporary Workarounds

Disable Analytics Service

linux

Temporarily disable the vulnerable Analytics service to block exploitation

service-control --stop vmware-analytics
service-control --stop vsphere-ui

Network Segmentation

all

Restrict access to vCenter Server port 443 to trusted management networks only

🧯 If You Can't Patch

Implement strict network access controls to limit access to vCenter Server port 443
Deploy web application firewall rules to block file upload attempts to the Analytics service endpoint

🔍 How to Verify

Check if Vulnerable:

Check vCenter Server version and compare against patched versions. Also check if /analytics/telemetry/ph/api/hyper/send endpoint is accessible.

Check Version:

On vCenter Server Appliance: cat /etc/vmware-vpx/version

Verify Fix Applied:

Verify vCenter Server version matches patched versions and test that file upload to Analytics service endpoint is blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to /analytics/telemetry/ph/api/hyper/send
Suspicious process execution from unexpected locations
Failed authentication attempts followed by successful file upload

Network Indicators:

POST requests to /analytics/telemetry/ph/api/hyper/send with file uploads
Outbound connections from vCenter Server to unknown external IPs

SIEM Query:

source="vcenter.log" AND (url="/analytics/telemetry/ph/api/hyper/send" OR process="cmd.exe" OR process="powershell.exe")

📊 Metadata

CVE ID: CVE-2021-22005

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: September 23, 2021

Last Updated: October 30, 2025

🔗 References

http://packetstormsecurity.com/files/164439/VMware-vCenter-Server-Analytics-CEIP-Service-File-Upload.html Exploit,Third Party Advisory,VDB Entry
https://www.vmware.com/security/advisories/VMSA-2021-0020.html Patch,Vendor Advisory
http://packetstormsecurity.com/files/164439/VMware-vCenter-Server-Analytics-CEIP-Service-File-Upload.html Exploit,Third Party Advisory,VDB Entry
https://www.vmware.com/security/advisories/VMSA-2021-0020.html Patch,Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22005 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22005, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Cloud Foundation by Vmware

Vcenter Server by Vmware

Vcenter Server by Vmware

Vcenter Server by Vmware

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Analytics Service

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities