CVE-2021-21972
Published: 24 February 2021
Summary
CVE-2021-21972 is a critical-severity Path Traversal (CWE-22) vulnerability in Vmware Vcenter Server. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a remote code execution flaw in the vSphere Client (HTML5) component of VMware vCenter Server, specifically within a server plugin. It stems from improper handling that permits path traversal (CWE-22) and affects VMware vCenter Server 7.x releases prior to 7.0 U1c, 6.7 releases prior to 6.7 U3l, and 6.5 releases prior to 6.5 U3n, as well as VMware Cloud Foundation 4.x releases prior to 4.2 and 3.x releases prior to 3.10.1.2. The issue carries a CVSS score of 9.8, reflecting network-accessible, unauthenticated exploitation with full impact on confidentiality, integrity, and availability.
An attacker with network connectivity to the vCenter Server on TCP port 443 can send specially crafted requests to upload arbitrary files and subsequently execute operating-system commands with unrestricted privileges on the underlying host. No authentication or user interaction is required, enabling complete compromise of the vCenter instance and any connected infrastructure.
The official VMware advisory VMSA-2021-0002 recommends immediate application of the listed patches that remediate the plugin flaw; organizations should also restrict external exposure of port 443 and monitor for anomalous file-upload activity. Public exploit code demonstrating arbitrary file upload and remote code execution against the affected versions has been published, confirming that working attacks are readily available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-9143
Vulnerability details
The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that…
more
hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that close the path-traversal/RCE flaw in the vSphere Client plugin.
Enforces boundary protection and ingress filtering to block unauthenticated network access to TCP 443 from untrusted sources.
Requires continuous monitoring and anomaly detection for unexpected file-upload or command-execution behavior on the vCenter host.