CVE-2021-21975

CVE-2021-21975 is a high-severity vulnerability in Vmware Cloud Foundation with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-01-18). The underlying weakness is classified as CWE-918.

Key facts

Description

Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.

CVE-2021-21975: VMware vRealize Operations Manager SSRF Enables Administrative Credential Theft

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE ID CVE-2021-21975
Published 2021-03-31
CWE CWE-918 — Server-Side Request Forgery (SSRF)
CVSS v3.1 7.5 (HIGH) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS 0.7829 (99.5th percentile)
KEV Status Listed in CISA KEV (added 2022-01-18)
Vendor Advisory VMSA-2021-0004

Summary

A server-side request forgery (SSRF) vulnerability exists in the VMware vRealize Operations Manager API prior to version 8.4. An attacker with network access to the vRealize Operations Manager API can perform an SSRF attack to steal administrative credentials. The vulnerability is exploitable without authentication and has been actively exploited in the wild since January 2022.

Background

VMware vRealize Operations Manager is an enterprise-grade operations management platform that provides performance optimization, capacity management, and remediation capabilities across VMware environments. The product exposes a REST API for programmatic integration and automation. Cloud Foundation and vRealize Suite Lifecycle Manager bundle this component as part of their lifecycle management workflows. The vulnerability lies in the API layer, where insufficient validation of user-supplied URLs allows the server to issue requests to internal or external systems on the attacker's behalf.

Root Cause

CWE-918 — Server-Side Request Forgery (SSRF): The vRealize Operations Manager API fails to properly validate or restrict URLs supplied in API request parameters. When an attacker provides a crafted URL, the server-side application makes an HTTP request to that destination using its own privileges and network position. In this case, the vulnerable endpoint can be coerced into making requests to internal services—including authentication or credential-management endpoints—allowing the attacker to intercept or redirect sensitive administrative credentials.

The root cause is a lack of strict input validation and URL allow-listing on API endpoints that perform server-side HTTP requests. The application does not sufficiently restrict request destinations to known-safe internal resources.

Impact

  • CVSS v3.1 Score: 7.5 (HIGH)
    • Attack Vector: Network — exploitable remotely
    • Attack Complexity: Low — no specialized conditions required
    • Privileges Required: None — unauthenticated exploitation possible
    • User Interaction: None — no victim action needed
    • Scope: Unchanged
    • Confidentiality Impact: High — administrative credentials can be stolen
    • Integrity/Availability Impact: None — direct impact is limited to confidentiality

The practical impact is severe: successful exploitation grants an attacker administrative credentials to the vRealize Operations Manager instance. From there, the attacker can pivot to the broader virtualized infrastructure, reconfigure resources, access sensitive monitoring data, or maintain persistent access.

Exploitation Walkthrough

Ethics Notice: The following describes the attack mechanism from a defensive perspective to aid detection, mitigation, and understanding. No weaponized exploit code is provided.

  1. Reconnaissance: The attacker identifies a vRealize Operations Manager instance accessible over the network (typically TCP 443).
  2. SSRF Trigger: The attacker sends a crafted API request to the vulnerable endpoint, embedding a URL pointing to an internal service (e.g., a metadata endpoint, authentication callback, or internal API).
  3. Credential Harvesting: The server processes the request and forwards it to the attacker-specified URL. If the attacker controls an external listener, they receive the outgoing request—including any tokens, session identifiers, or credentials that the server includes in the request.
  4. Privilege Escalation: With harvested administrative credentials, the attacker authenticates to the vRealize Operations Manager and gains full control over the managed environment.

Real-world exploitation has been confirmed: the vulnerability was added to the CISA Known Exploited Vulnerabilities catalog on 2022-01-18, and public proof-of-concept materials have circulated since 2021.

Affected and Patched Versions

Affected Products & Versions:

  • VMware vRealize Operations Manager: 7.0.0, 7.5.0, 8.0.0, 8.0.1, 8.1.0, 8.1.1, 8.2.0, 8.3.0
  • VMware Cloud Foundation: 3.0 through 3.10, 4.0, 4.0.1
  • VMware vRealize Suite Lifecycle Manager: 8.0, 8.0.1, 8.1, 8.2

Patched Versions:

  • VMware vRealize Operations Manager: 8.4 and later
  • Upgrade Cloud Foundation and Suite Lifecycle Manager to versions bundling the fixed Operations Manager release.

Remediation

  1. Upgrade Immediately: Apply VMware's patched releases (vRealize Operations Manager 8.4+). This is a known-exploited vulnerability with a high EPSS score—delaying patching carries significant risk.
  2. Network Segmentation: Restrict network access to the vRealize Operations Manager API to trusted administrative hosts only. Block inbound access from untrusted networks.
  3. API Gateway / WAF: Deploy a web application firewall or API gateway with SSRF-specific rules. Block or sanitize outbound requests initiated by the application.
  4. URL Validation (Code-Level): If custom integrations wrap the API, enforce strict allow-list validation on all user-supplied URLs. Reject requests to internal IP ranges, metadata endpoints (169.254.169.254), and non-HTTP schemes.
  5. Credential Rotation: If exploitation is suspected, rotate all administrative credentials for vRealize Operations Manager and connected systems immediately.

Detection

  • Monitor API Logs: Look for unusual outbound HTTP requests originating from the vRealize Operations Manager server, especially to internal IP ranges or unexpected external domains.
  • SSRF Signatures: Alert on API requests containing URL parameters with embedded IP addresses (including 127.0.0.1, 169.254.169.254, or internal DNS names).
  • Credential Abuse: Monitor for administrative logins from atypical source IPs or unusual times following API access anomalies.
  • Network Telemetry: Use network detection tools to identify unexpected HTTP egress from the vRealize Operations Manager appliance.

Assessment

CVE-2021-21975 represents a textbook SSRF vulnerability with outsized impact due to its placement in a privileged infrastructure-management tool. The combination of unauthenticated exploitation, network accessibility, and high EPSS (0.7829) places this in the top tier of vulnerabilities requiring immediate attention. Its inclusion in the CISA KEV catalog and confirmed active exploitation since January 2022 underscore that this is not a theoretical risk.

Key Takeaways:

  1. SSRF in infrastructure APIs is a critical attack vector—credential theft from a management plane can cascade into full environment compromise.
  2. High EPSS scores and KEV status should drive patching prioritization ahead of raw CVSS alone. This CVE scores well on both, making it unambiguously urgent.

References

Frequently asked questions

What is CVE-2021-21975?
Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.
How severe is CVE-2021-21975?
CVE-2021-21975 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
Is CVE-2021-21975 being actively exploited?
Yes. CVE-2021-21975 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-01-18, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-21975?
CVE-2021-21975 primarily affects Vmware Cloud Foundation. In total, 27 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2021-21975?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-21975 have an EU (EUVD) identifier?
Yes. CVE-2021-21975 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-9146. It is also flagged as exploited in the EUVD (since 2022-01-18).
When was CVE-2021-21975 published?
CVE-2021-21975 was published on 2021-03-31 and last updated on 2026-06-17.

References

Affected products (27)

More vulnerabilities in Vmware Cloud Foundation

All CVEs affecting Vmware Cloud Foundation →

Other CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities

Browse all CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities →