CVE-2021-21972
CVE-2021-21972 is a critical-severity vulnerability in Vmware Cloud Foundation with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-22.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 10.0
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2021-9143
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-22
- Affected product: Vmware Cloud Foundation
- Published:
- Last modified:
Description
The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
CVE-2021-21972: VMware vCenter Server Unauthenticated Remote Code Execution via vSphere Client Plugin
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2021-21972 |
| CVSS v2 | 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) |
| CVSS v3.1 | 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") |
| EPSS | 0.9957 (99.57% probability) — percentile 0.99942 |
| KEV | Yes (CISA KEV, added 2021-11-03) |
| EU Exploited | Yes (since 2021-11-03) |
| Published | 2021-02-24 |
| Assigner | VMware PSIRT ([email protected]) |
Summary
CVE-2021-21972 is a critical remote code execution vulnerability in the vSphere Client (HTML5) of VMware vCenter Server. An unauthenticated attacker with network access to TCP port 443 can exploit a path traversal flaw in a vCenter Server plugin to upload files to arbitrary locations on the underlying operating system, leading to execution of commands with unrestricted privileges.
Background
VMware vCenter Server is the centralized management platform for VMware vSphere environments, responsible for provisioning, monitoring, and orchestrating virtualized infrastructure. The vSphere Client (HTML5) is the modern web-based administration interface used by system administrators and operators to interact with vCenter. The platform exposes multiple plugins and REST endpoints to support integrated services such as monitoring and analytics. This vulnerability resides in one such plugin, making it reachable without authentication from any network location that can reach the vCenter Server management interface.
Root Cause
The root cause is CWE-22: Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). The affected vCenter Server plugin within the vSphere Client (HTML5) accepts file uploads but fails to adequately sanitize user-supplied file paths. By manipulating the path component of an upload request, an attacker can traverse outside the intended upload directory and write files to arbitrary filesystem locations on the vCenter Server appliance, including web-accessible paths or directories from which the operating system will execute code.
Impact
With a CVSS v3.1 score of 9.8 (CRITICAL), this vulnerability presents the highest severity impact:
- Confidentiality: Complete compromise — an attacker can read any file on the vCenter Server host.
- Integrity: Complete compromise — an attacker can modify system files, configurations, and virtual machine metadata.
- Availability: Complete compromise — an attacker can disrupt services, delete data, or pivot to the hypervisor layer.
The attack requires no authentication, no user interaction, and can be conducted over the network with low complexity. Because vCenter Server typically has broad administrative control over the entire virtualized estate, compromise of this system often equates to compromise of the entire environment.
Exploitation Walkthrough
Ethics Caveat: This section is provided for defensive awareness only. Public proof-of-concept exploit code for this vulnerability has been widely available since early 2021 and has been integrated into multiple exploitation frameworks. Do not use this information to target systems without explicit authorization.
From a defensive standpoint, exploitation proceeds as follows:
- Reconnaissance: The attacker identifies an accessible vCenter Server instance listening on TCP port 443.
- Upload Abuse: The attacker sends a crafted multipart upload request to the vulnerable plugin endpoint. By including directory traversal sequences (e.g.,
../) in the filename parameter, the attacker bypasses the intended upload directory restriction. - Arbitrary File Write: The server writes the uploaded payload to an attacker-controlled path on the underlying filesystem — for example, a web application directory or a startup script location.
- Code Execution: Depending on where the file lands, the attacker triggers execution via a subsequent web request or waits for the system to process the file automatically, yielding arbitrary command execution as an unrestricted user on the vCenter Server host.
Security teams should treat any vCenter Server instance that was internet-facing or accessible from untrusted networks during the exposure window as potentially compromised.
Affected and Patched Versions
Affected
- VMware vCenter Server 7.0 — all versions before 7.0 U1c
- VMware vCenter Server 6.7 — all versions before 6.7 U3l
- VMware vCenter Server 6.5 — all versions before 6.5 U3n
- VMware Cloud Foundation 4.x — all versions before 4.2
- VMware Cloud Foundation 3.x — all versions before 3.10.1.2
Patched
- VMware vCenter Server 7.0 U1c and later
- VMware vCenter Server 6.7 U3l and later
- VMware vCenter Server 6.5 U3n and later
- VMware Cloud Foundation 4.2 and later
- VMware Cloud Foundation 3.10.1.2 and later
Remediation
- Patch Immediately: Apply the relevant vCenter Server or Cloud Foundation update from VMware. Given the active exploitation of this vulnerability in the wild, patching should be treated as an emergency change.
- Compensating Controls (if immediate patching is not possible):
- Place the vCenter Server management interface behind a restricted-access jump host or VPN; do not expose TCP 443 to untrusted networks.
- Implement network segmentation to ensure only authorized administrative hosts can reach vCenter Server.
- Deploy a Web Application Firewall (WAF) or reverse proxy with strict upload filtering and path traversal detection rules in front of the vCenter Server interface.
- Monitor for and block known exploit signatures at the network perimeter.
Detection
Defenders should monitor for the following indicators and behaviors:
- Unexpected file writes in web-accessible or system directories on the vCenter Server appliance, especially from the application service account.
- Unusual child process execution originating from the vCenter Server process (e.g.,
java,python,bash, orshspawned by the web service). - Abnormal outbound network connections from the vCenter Server host to external command-and-control infrastructure.
- HTTP POST requests to plugin endpoints containing traversal sequences (
../,..\) in filenames. - New or modified JSP/shell files appearing in application directories without an authorized change record.
Organizations with centralized logging for vCenter Server should retrospectively hunt for exploitation attempts across the entire exposure window.
Assessment
CVE-2021-21972 is one of the most consequential virtualization infrastructure vulnerabilities of the past decade. With an EPSS score of 0.9957 and a percentile of 0.99942, it ranks among the most reliably exploited vulnerabilities tracked. Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog (added 2021-11-03) and the EU Vulnerability Database (exploited since 2021-11-03) confirms sustained, in-the-wild abuse.
Key Lessons:
- Plugin security is platform security: A single insecure plugin in a centralized management console can collapse the security boundary of an entire virtualized datacenter. Organizations should inventory all plugins and extensions and remove those that are unused.
- Assume breach for exposed management planes: vCenter Server and similar infrastructure management interfaces should never be directly internet-facing. Where they are, the exposure window must be measured in hours, not days.
References
- http://packetstormsecurity.com/files/161590/VMware-vCenter-Server-7.0-Arbitrary-File-Upload.html
- http://packetstormsecurity.com/files/161695/VMware-vCenter-Server-File-Upload-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/163268/VMware-vCenter-6.5-6.7-7.0-Remote-Code-Execution.html
- https://www.vmware.com/security/advisories/VMSA-2021-0002.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21972
Frequently asked questions
- What is CVE-2021-21972?
- The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
- How severe is CVE-2021-21972?
- CVE-2021-21972 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2021-21972 being actively exploited?
- Yes. CVE-2021-21972 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-21972?
- CVE-2021-21972 primarily affects Vmware Cloud Foundation. In total, 42 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-21972?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-21972 have an EU (EUVD) identifier?
- Yes. CVE-2021-21972 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-9143. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2021-21972 published?
- CVE-2021-21972 was published on 2021-02-24 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/161590/VMware-vCenter-Server-7.0-Arbitrary-File-Upload.html
- http://packetstormsecurity.com/files/161695/VMware-vCenter-Server-File-Upload-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/163268/VMware-vCenter-6.5-6.7-7.0-Remote-Code-Execution.html
- https://www.vmware.com/security/advisories/VMSA-2021-0002.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21972
Affected products (42)
- cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.5:-:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.5:a:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.5:b:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.5:c:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.5:d:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.5:e:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.5:f:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.5:update1d:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.5:update1e:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.5:update1g:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.5:update2:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.5:update2b:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.5:update2c:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.5:update2d:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.5:update2g:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.5:update3:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.5:update3d:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.5:update3f:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.5:update3k:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.7:-:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.7:a:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.7:b:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.7:d:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.7:update1:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.7:update1b:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.7:update2:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.7:update2a:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.7:update2c:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.7:update3:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.7:update3a:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.7:update3b:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.7:update3f:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.7:update3g:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.7:update3j:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:7.0:-:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:7.0:a:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:7.0:b:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:7.0:c:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:7.0:d:*:*:*:*:*:*
More vulnerabilities in Vmware Cloud Foundation
- CVE-2023-34063 — Critical (CVSS 9.9): Aria Automation contains a Missing Access Control vulnerability. An authenticated malicious actor may exploit this…
- CVE-2024-38812 — Critical (CVSS 9.8): The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious…
- CVE-2024-37079 — Critical (CVSS 9.8): vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor…
- CVE-2023-20864 — Critical (CVSS 9.8): VMware Aria Operations for Logs contains a deserialization vulnerability. An unauthenticated, malicious actor with…
- CVE-2022-22972 — Critical (CVSS 9.8): VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability…
- CVE-2022-22954 — Critical (CVSS 9.8): VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side…
All CVEs affecting Vmware Cloud Foundation →
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…