Cyber Resilience

CVE-2021-21972

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 24 February 2021

Published
24 February 2021
Modified
30 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9382 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-21972 is a critical-severity Path Traversal (CWE-22) vulnerability in Vmware Vcenter Server. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a remote code execution flaw in the vSphere Client (HTML5) component of VMware vCenter Server, specifically within a server plugin. It stems from improper handling that permits path traversal (CWE-22) and affects VMware vCenter Server 7.x releases prior to 7.0 U1c, 6.7 releases prior to 6.7 U3l, and 6.5 releases prior to 6.5 U3n, as well as VMware Cloud Foundation 4.x releases prior to 4.2 and 3.x releases prior to 3.10.1.2. The issue carries a CVSS score of 9.8, reflecting network-accessible, unauthenticated exploitation with full impact on confidentiality, integrity, and availability.

An attacker with network connectivity to the vCenter Server on TCP port 443 can send specially crafted requests to upload arbitrary files and subsequently execute operating-system commands with unrestricted privileges on the underlying host. No authentication or user interaction is required, enabling complete compromise of the vCenter instance and any connected infrastructure.

The official VMware advisory VMSA-2021-0002 recommends immediate application of the listed patches that remediate the plugin flaw; organizations should also restrict external exposure of port 443 and monitor for anomalous file-upload activity. Public exploit code demonstrating arbitrary file upload and remote code execution against the affected versions has been published, confirming that working attacks are readily available.

EU & UK References

Vulnerability details

The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that…

more

hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
cloud foundation
3.0 — 3.10.1.2 · 4.0 — 4.2
vmware
vcenter server
6.5, 6.7, 7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that close the path-traversal/RCE flaw in the vSphere Client plugin.

prevent

Enforces boundary protection and ingress filtering to block unauthenticated network access to TCP 443 from untrusted sources.

detect

Requires continuous monitoring and anomaly detection for unexpected file-upload or command-execution behavior on the vCenter host.

References