Cyber Resilience

CVE-2021-21975

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 31 March 2021

Published
31 March 2021
Modified
30 October 2025
KEV Added
18 January 2022
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9442 100.0th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-21975 is a high-severity SSRF (CWE-918) vulnerability in Vmware Cloud Foundation. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2021-21975 is a Server Side Request Forgery vulnerability in the vRealize Operations Manager API affecting versions prior to 8.4. The flaw is tracked under CWE-918 and carries a CVSS 3.1 base score of 7.5, reflecting network attack vector, low complexity, and no required privileges or user interaction.

A malicious actor with network access to the vRealize Operations Manager API can exploit the issue to conduct an SSRF attack that results in theft of administrative credentials.

The primary vendor advisory is VMware VMSA-2021-0004, which addresses the affected product versions. The vulnerability is also catalogued in the CISA Known Exploited Vulnerabilities list, confirming observed real-world exploitation activity.

EU & UK References

Vulnerability details

Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.

CWE(s)
KEV Date Added
18 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
cloud foundation
3.0, 3.0.1, 3.0.1.1, 3.10, 3.5
vmware
vrealize operations manager
7.0.0, 7.5.0, 8.0.0, 8.0.1, 8.1.0
vmware
vrealize suite lifecycle manager
8.0, 8.0.1, 8.1, 8.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Input validation on the vRealize Operations Manager API would reject crafted URLs that enable the SSRF requests used to exfiltrate administrative credentials.

prevent

Information flow enforcement policies can block the API from initiating unauthorized outbound requests to internal resources that would disclose credentials.

prevent

Boundary protection mechanisms can restrict or inspect the API's outbound connections, limiting the SSRF channel to internal credential stores.

References