Cyber Resilience

CVE-2021-22017

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 23 September 2021

Published
23 September 2021
Modified
30 October 2025
KEV Added
10 January 2022
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.7483 98.9th percentile
Risk Priority 76 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-22017 is a medium-severity an unspecified weakness vulnerability in Vmware Vcenter Server. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

Rhttproxy as used in vCenter Server contains a vulnerability due to improper implementation of URI normalization. The affected component is the reverse proxy functionality within VMware vCenter Server, which listens on port 443. The issue received a CVSS v3.1 score of 5.3 and is tracked under NVD-CWE-noinfo.

A malicious actor with network access to port 443 on vCenter Server may exploit this issue to bypass the proxy, leading to internal endpoints being accessed. The attack requires no authentication or user interaction and results in limited disclosure of information from otherwise protected resources.

The vulnerability is referenced in VMware security advisory VMSA-2021-0020 and appears in the CISA Known Exploited Vulnerabilities catalog, indicating confirmed real-world exploitation activity.

EU & UK References

Vulnerability details

Rhttproxy as used in vCenter Server contains a vulnerability due to improper implementation of URI normalization. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to bypass proxy leading to internal endpoints being…

more

accessed.

CWE(s)
KEV Date Added
10 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
vcenter server
6.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved access paths through the reverse proxy, blocking the URI-normalization bypass that exposes internal endpoints on port 443.

prevent

Requires boundary-protection mechanisms (such as the rhttproxy) to inspect and filter traffic, preventing unauthorized traversal to internal resources.

prevent

Enforces information-flow rules between external and internal networks, mitigating the proxy-bypass path that would otherwise allow direct access to protected endpoints.

References