Login Sign Up

CVE-2021-22042

7.8 HIGH

📋 TL;DR

This vulnerability in VMware ESXi allows attackers with VMX process privileges to access the settingsd service running with high privileges. This could lead to unauthorized configuration changes or privilege escalation. Only VMware ESXi hypervisors are affected.

💻 Affected Systems

Products:
  • VMware ESXi
Versions: 7.0 prior to ESXi70U3c-19193900, 6.7 prior to ESXi670-202111101-SG, 6.5 prior to ESXi650-202110101-SG
Operating Systems: VMware ESXi
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker to have VMX process privileges, which typically means they already have some level of access to the system.

📦 What is this software?

Cloud Foundation by Vmware

View all CVEs affecting Cloud Foundation →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

Esxi by Vmware

View all CVEs affecting Esxi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the ESXi host, allowing attackers to modify virtual machine configurations, access sensitive data, or disrupt operations.

🟠

Likely Case

Unauthorized configuration changes to ESXi settings or virtual machines, potentially leading to service disruption or data exposure.

🟢

If Mitigated

Limited impact due to proper network segmentation and access controls restricting VMX process access.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires existing VMX process privileges, making this primarily an insider threat or post-compromise escalation vector.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ESXi70U3c-19193900, ESXi670-202111101-SG, ESXi650-202110101-SG

Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2022-0004.html

Restart Required: Yes

Instructions:

1. Download appropriate patch from VMware portal. 2. Place host in maintenance mode. 3. Apply patch via vSphere Lifecycle Manager or CLI. 4. Reboot host. 5. Verify patch installation.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to ESXi management interfaces to trusted administrative networks only.

Access Control

all

Implement strict access controls and monitoring for VMX process activities.

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate ESXi management interfaces
  • Enhance monitoring and alerting for unauthorized configuration changes

🔍 How to Verify

Check if Vulnerable:

Check ESXi version via vSphere Client or SSH: esxcli system version get

Check Version:

esxcli system version get

Verify Fix Applied:

Verify installed patch version matches or exceeds patched versions listed in advisory

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to settingsd service
  • Unexpected configuration changes in ESXi logs

Network Indicators:

  • Unusual network traffic to ESXi management interfaces from non-admin sources

SIEM Query:

source="esxi" AND (event_type="settingsd_access" OR config_change="unauthorized")

📊 Metadata

CVE ID: CVE-2021-22042
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-863
Published: February 16, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22042, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)