CVE-2021-22005
Published: 23 September 2021
Summary
CVE-2021-22005 is a critical-severity Path Traversal (CWE-22) vulnerability in Vmware Vcenter Server. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service, tracked as CVE-2021-22005 with a CVSS 3.1 base score of 9.8. The flaw is also associated with CWE-22 and affects the component reachable over the network on the standard HTTPS port.
A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on the server by uploading a specially crafted file. No authentication or user interaction is required, enabling remote code execution with full impact on confidentiality, integrity, and availability.
The primary vendor advisory is VMware VMSA-2021-0020, which provides official guidance on affected versions and remediation steps. The vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog, confirming observed real-world exploitation activity. Public exploit code has also been published via Packet Storm.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-9174
Vulnerability details
The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted…
more
file.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of uploaded files in the Analytics service, directly blocking the specially crafted file that enables unauthenticated RCE.
Restricts network traffic to port 443 and the Analytics service, preventing external actors from reaching the file-upload endpoint.
Disables or restricts the unnecessary Analytics service component, eliminating the attack surface for arbitrary file uploads.