Cyber Resilience

CVE-2021-21973

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 24 February 2021

Published
24 February 2021
Modified
30 October 2025
KEV Added
07 March 2022
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.9039 99.6th percentile
Risk Priority 85 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-21973 is a medium-severity SSRF (CWE-918) vulnerability in Vmware Vcenter Server. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The vSphere Client (HTML5) component of VMware vCenter Server contains a server-side request forgery vulnerability stemming from insufficient validation of URLs processed by a vCenter Server plugin. The flaw affects VMware vCenter Server versions 7.x prior to 7.0 U1c, 6.7 prior to 6.7 U3l, and 6.5 prior to 6.5 U3n, as well as VMware Cloud Foundation releases 4.x prior to 4.2 and 3.x prior to 3.10.1.2.

An unauthenticated attacker with network access to vCenter Server on TCP port 443 can exploit the issue by submitting a crafted POST request to the affected plugin. Successful exploitation results in information disclosure, corresponding to a CVSS 3.1 base score of 5.3 under CWE-918.

VMware's VMSA-2021-0002 advisory details the affected releases and corresponding fixed versions. The vulnerability is also tracked in CISA's catalog of known exploited vulnerabilities, confirming observed in-the-wild activity.

EU & UK References

Vulnerability details

The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST…

more

request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).

CWE(s)
KEV Date Added
07 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
cloud foundation
3.0 — 3.10.1.2 · 4.0 — 4.2
vmware
vcenter server
6.5, 6.7, 7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of URL inputs processed by the vCenter plugin to block crafted SSRF requests.

prevent

Enforces policy-based restrictions on server-initiated outbound requests, preventing the unauthorized information flows exploited by this SSRF.

prevent

Boundary protection mechanisms (e.g., allow-listing or proxy inspection) can block or sanitize the malicious POST requests reaching the vulnerable plugin on port 443.

References