CVE-2021-22049
📋 TL;DR
CVE-2021-22049 is a Server-Side Request Forgery (SSRF) vulnerability in the vSAN Web Client plug-in for vSphere Web Client (FLEX/Flash). It allows attackers with network access to vCenter Server port 443 to make unauthorized requests to internal services or external systems. This affects organizations running vulnerable versions of VMware vCenter Server with vSAN Web Client enabled.
💻 Affected Systems
- VMware vCenter Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could pivot to internal systems, access sensitive data, or chain with other vulnerabilities to achieve remote code execution on vCenter Server.
Likely Case
Unauthorized access to internal services, information disclosure from internal endpoints, or potential lateral movement within the network.
If Mitigated
Limited impact if network segmentation restricts vCenter Server access and internal services are properly secured.
🎯 Exploit Status
Exploitation requires network access to vCenter Server port 443. Multiple proof-of-concept scripts are publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: vCenter Server 6.5 U3p, 6.7 U3q, 7.0 U2c or later
Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0027.html
Restart Required: Yes
Instructions:
1. Download the appropriate patch from VMware Customer Connect portal. 2. Apply the patch following VMware's vCenter Server update documentation. 3. Restart vCenter Server services as required.
🔧 Temporary Workarounds
Disable vSAN Web Client plug-in
allRemove or disable the vulnerable vSAN Web Client (FLEX/Flash) component
Navigate to vCenter Server Management Interface > Plug-ins > Disable vSAN Web Client
Network segmentation
allRestrict network access to vCenter Server port 443 to trusted sources only
Configure firewall rules to limit access to vCenter Server from authorized IP ranges
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vCenter Server from sensitive internal systems
- Monitor vCenter Server logs for unusual outbound requests or SSRF patterns
🔍 How to Verify
Check if Vulnerable:
Check vCenter Server version and verify if vSAN Web Client plug-in is enabled in the vSphere Web Client interface.Check Version:
Connect to vCenter Server via SSH and run: /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhostVerify Fix Applied:
Verify vCenter Server version is patched to 6.5 U3p, 6.7 U3q, or 7.0 U2c or later, and confirm vSAN Web Client plug-in is either disabled or updated.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from vCenter Server
- Requests to internal services from vCenter Server IP
- Access to vSAN Web Client endpoints with suspicious parameters
Network Indicators:
- HTTP requests from vCenter Server to unexpected internal/external endpoints
- Port scanning activity originating from vCenter Server
SIEM Query:
source_ip=vCenter_Server AND (http_method=GET OR http_method=POST) AND (url_contains="/ui/vsanui/" OR url_contains="internal")