Cyber Resilience

CVE-2021-22005

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 23 September 2021

Published
23 September 2021
Modified
30 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9445 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-22005 is a critical-severity Path Traversal (CWE-22) vulnerability in Vmware Vcenter Server. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service, tracked as CVE-2021-22005 with a CVSS 3.1 base score of 9.8. The flaw is also associated with CWE-22 and affects the component reachable over the network on the standard HTTPS port.

A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on the server by uploading a specially crafted file. No authentication or user interaction is required, enabling remote code execution with full impact on confidentiality, integrity, and availability.

The primary vendor advisory is VMware VMSA-2021-0020, which provides official guidance on affected versions and remediation steps. The vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog, confirming observed real-world exploitation activity. Public exploit code has also been published via Packet Storm.

EU & UK References

Vulnerability details

The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted…

more

file.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
cloud foundation
3.0 — 5.0
vmware
vcenter server
6.5, 6.7, 7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of uploaded files in the Analytics service, directly blocking the specially crafted file that enables unauthenticated RCE.

prevent

Restricts network traffic to port 443 and the Analytics service, preventing external actors from reaching the file-upload endpoint.

prevent

Disables or restricts the unnecessary Analytics service component, eliminating the attack surface for arbitrary file uploads.

References