CVE-2021-21972

CVE-2021-21972 is a critical-severity vulnerability in Vmware Cloud Foundation with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-22.

Key facts

Description

The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).

CVE-2021-21972: VMware vCenter Server Unauthenticated Remote Code Execution via vSphere Client Plugin

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2021-21972
CVSS v2 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS v3.1 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CWE CWE-22: Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal")
EPSS 0.9957 (99.57% probability) — percentile 0.99942
KEV Yes (CISA KEV, added 2021-11-03)
EU Exploited Yes (since 2021-11-03)
Published 2021-02-24
Assigner VMware PSIRT ([email protected])

Summary

CVE-2021-21972 is a critical remote code execution vulnerability in the vSphere Client (HTML5) of VMware vCenter Server. An unauthenticated attacker with network access to TCP port 443 can exploit a path traversal flaw in a vCenter Server plugin to upload files to arbitrary locations on the underlying operating system, leading to execution of commands with unrestricted privileges.

Background

VMware vCenter Server is the centralized management platform for VMware vSphere environments, responsible for provisioning, monitoring, and orchestrating virtualized infrastructure. The vSphere Client (HTML5) is the modern web-based administration interface used by system administrators and operators to interact with vCenter. The platform exposes multiple plugins and REST endpoints to support integrated services such as monitoring and analytics. This vulnerability resides in one such plugin, making it reachable without authentication from any network location that can reach the vCenter Server management interface.

Root Cause

The root cause is CWE-22: Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). The affected vCenter Server plugin within the vSphere Client (HTML5) accepts file uploads but fails to adequately sanitize user-supplied file paths. By manipulating the path component of an upload request, an attacker can traverse outside the intended upload directory and write files to arbitrary filesystem locations on the vCenter Server appliance, including web-accessible paths or directories from which the operating system will execute code.

Impact

With a CVSS v3.1 score of 9.8 (CRITICAL), this vulnerability presents the highest severity impact:

  • Confidentiality: Complete compromise — an attacker can read any file on the vCenter Server host.
  • Integrity: Complete compromise — an attacker can modify system files, configurations, and virtual machine metadata.
  • Availability: Complete compromise — an attacker can disrupt services, delete data, or pivot to the hypervisor layer.

The attack requires no authentication, no user interaction, and can be conducted over the network with low complexity. Because vCenter Server typically has broad administrative control over the entire virtualized estate, compromise of this system often equates to compromise of the entire environment.

Exploitation Walkthrough

Ethics Caveat: This section is provided for defensive awareness only. Public proof-of-concept exploit code for this vulnerability has been widely available since early 2021 and has been integrated into multiple exploitation frameworks. Do not use this information to target systems without explicit authorization.

From a defensive standpoint, exploitation proceeds as follows:

  1. Reconnaissance: The attacker identifies an accessible vCenter Server instance listening on TCP port 443.
  2. Upload Abuse: The attacker sends a crafted multipart upload request to the vulnerable plugin endpoint. By including directory traversal sequences (e.g., ../) in the filename parameter, the attacker bypasses the intended upload directory restriction.
  3. Arbitrary File Write: The server writes the uploaded payload to an attacker-controlled path on the underlying filesystem — for example, a web application directory or a startup script location.
  4. Code Execution: Depending on where the file lands, the attacker triggers execution via a subsequent web request or waits for the system to process the file automatically, yielding arbitrary command execution as an unrestricted user on the vCenter Server host.

Security teams should treat any vCenter Server instance that was internet-facing or accessible from untrusted networks during the exposure window as potentially compromised.

Affected and Patched Versions

Affected

  • VMware vCenter Server 7.0 — all versions before 7.0 U1c
  • VMware vCenter Server 6.7 — all versions before 6.7 U3l
  • VMware vCenter Server 6.5 — all versions before 6.5 U3n
  • VMware Cloud Foundation 4.x — all versions before 4.2
  • VMware Cloud Foundation 3.x — all versions before 3.10.1.2

Patched

  • VMware vCenter Server 7.0 U1c and later
  • VMware vCenter Server 6.7 U3l and later
  • VMware vCenter Server 6.5 U3n and later
  • VMware Cloud Foundation 4.2 and later
  • VMware Cloud Foundation 3.10.1.2 and later

Remediation

  1. Patch Immediately: Apply the relevant vCenter Server or Cloud Foundation update from VMware. Given the active exploitation of this vulnerability in the wild, patching should be treated as an emergency change.
  2. Compensating Controls (if immediate patching is not possible):
    • Place the vCenter Server management interface behind a restricted-access jump host or VPN; do not expose TCP 443 to untrusted networks.
    • Implement network segmentation to ensure only authorized administrative hosts can reach vCenter Server.
    • Deploy a Web Application Firewall (WAF) or reverse proxy with strict upload filtering and path traversal detection rules in front of the vCenter Server interface.
    • Monitor for and block known exploit signatures at the network perimeter.

Detection

Defenders should monitor for the following indicators and behaviors:

  • Unexpected file writes in web-accessible or system directories on the vCenter Server appliance, especially from the application service account.
  • Unusual child process execution originating from the vCenter Server process (e.g., java, python, bash, or sh spawned by the web service).
  • Abnormal outbound network connections from the vCenter Server host to external command-and-control infrastructure.
  • HTTP POST requests to plugin endpoints containing traversal sequences (../, ..\) in filenames.
  • New or modified JSP/shell files appearing in application directories without an authorized change record.

Organizations with centralized logging for vCenter Server should retrospectively hunt for exploitation attempts across the entire exposure window.

Assessment

CVE-2021-21972 is one of the most consequential virtualization infrastructure vulnerabilities of the past decade. With an EPSS score of 0.9957 and a percentile of 0.99942, it ranks among the most reliably exploited vulnerabilities tracked. Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog (added 2021-11-03) and the EU Vulnerability Database (exploited since 2021-11-03) confirms sustained, in-the-wild abuse.

Key Lessons:

  1. Plugin security is platform security: A single insecure plugin in a centralized management console can collapse the security boundary of an entire virtualized datacenter. Organizations should inventory all plugins and extensions and remove those that are unused.
  2. Assume breach for exposed management planes: vCenter Server and similar infrastructure management interfaces should never be directly internet-facing. Where they are, the exposure window must be measured in hours, not days.

References

Frequently asked questions

What is CVE-2021-21972?
The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
How severe is CVE-2021-21972?
CVE-2021-21972 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2021-21972 being actively exploited?
Yes. CVE-2021-21972 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-21972?
CVE-2021-21972 primarily affects Vmware Cloud Foundation. In total, 42 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2021-21972?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-21972 have an EU (EUVD) identifier?
Yes. CVE-2021-21972 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-9143. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2021-21972 published?
CVE-2021-21972 was published on 2021-02-24 and last updated on 2026-06-17.

References

Affected products (42)

More vulnerabilities in Vmware Cloud Foundation

All CVEs affecting Vmware Cloud Foundation →

Other CWE-22 (Path Traversal) vulnerabilities

Browse all CWE-22 (Path Traversal) vulnerabilities →