CVE-2021-21985

CVE-2021-21985 is a critical-severity vulnerability in Vmware Vcenter Server with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-918.

Key facts

Description

The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

CVE-2021-21985: VMware vCenter Server Virtual SAN Health Check RCE

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2021-21985
Published 2021-05-26
Last Modified 2026-06-17
Severity (CVSS v3) CRITICAL — 9.8
CVSS v3 Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2 10 — AV:N/AC:L/Au:N/C:C/I:C/A:C
CWE CWE-918 (Server-Side Request Forgery)
EPSS 0.99999 (percentile: 0.99992)
Known Exploited Yes — Added to CISA KEV on 2021-11-03
EU Exploited Yes — EUVD-9156 since 2021-11-03
Assigner [email protected]

Summary

The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

Background

VMware vCenter Server is the centralized management platform for VMware vSphere environments. The Virtual SAN (vSAN) Health Check plug-in is enabled by default and provides health monitoring and diagnostics for vSAN clusters. The plug-in is exposed through the vSphere Client (HTML5) interface on TCP port 443. In May 2021, VMware disclosed a critical vulnerability in this plug-in that allows unauthenticated remote attackers to achieve arbitrary code execution on the vCenter Server host operating system.

Root Cause — CWE-918

The vulnerability stems from CWE-918 (Server-Side Request Forgery) and a lack of adequate input validation within the vSAN Health Check plug-in. Specifically, the plug-in accepts attacker-controlled input without proper sanitization, allowing the injection of malicious payloads. The endpoint handling vSAN health data fails to validate incoming requests before passing them to underlying system commands. This allows an attacker to craft a request that the server will execute with full system privileges, effectively turning the vCenter Server into a remote shell for the attacker.

Impact

With a CVSS v3 score of 9.8, this vulnerability is rated CRITICAL. The impact is total:

Impact Area Severity
Confidentiality High — Full access to all vCenter-managed data, credentials, and secrets
Integrity High — Attacker can modify configurations, deploy VMs, alter network settings
Availability High — Complete system compromise; attacker can disrupt or destroy the environment
Scope Unchanged — The vulnerable component is the vCenter Server itself

Because vCenter Server typically holds privileged access to the entire virtual infrastructure, successful exploitation grants the attacker control over all ESXi hosts, virtual machines, and network configurations managed by that vCenter instance.

Exploitation Walkthrough (Defensive Perspective)

Ethics Caveat: The following describes the attack mechanism from a defender's perspective to aid in detection and mitigation. No weaponized exploit code is provided. Actual exploitation of systems without authorization is illegal and unethical.

  1. Reconnaissance: The attacker identifies a vCenter Server instance accessible over TCP port 443.
  2. Endpoint Discovery: The vSAN Health Check plug-in endpoint is reachable via the vSphere Client URL path.
  3. Payload Injection: The attacker sends an unauthenticated HTTPS request to the vulnerable endpoint containing a crafted payload that bypasses input validation.
  4. Command Execution: The server passes the unsanitized input to an underlying system command, executing it with the privileges of the vCenter Server process (typically root or SYSTEM).
  5. Post-Exploitation: With unrestricted access, the attacker can extract credentials, move laterally to ESXi hosts, deploy malicious VMs, or establish persistent backdoors.

Affected and Patched Versions

Affected:

  • VMware vCenter Server 6.5 (all updates through Update 3n)
  • VMware vCenter Server 6.7 (all updates through Update 3m)
  • VMware vCenter Server 7.0 (all updates through Update 2a)
  • VMware Cloud Foundation (all versions)

Patched: VMware released updates in VMSA-2021-0010 (May 2021). Administrators must upgrade to:

  • vCenter Server 6.5 Update 3p or later
  • vCenter Server 6.7 Update 3m or later (check VMware's specific patch matrix for this branch)
  • vCenter Server 7.0 Update 2b or later

Note: VMware 6.5 and 6.7 reached End of General Support in October 2022. If you are still running these versions, upgrade immediately and consider the extended risk of running unsupported software.

Remediation

  1. Upgrade Immediately: Apply the patches from VMSA-2021-0010 without delay. This is a known-exploited vulnerability with an EPSS score of 0.99999.
  2. Network Segmentation: Restrict access to vCenter Server port 443 to only trusted administrative networks. Do not expose vCenter to the internet.
  3. Compensating Controls:
    • Implement Web Application Firewall (WAF) rules to detect and block suspicious requests to vSAN endpoints.
    • Enable comprehensive logging on vCenter Server and forward logs to a SIEM.
    • Monitor for anomalous process execution on the vCenter Server appliance.
  4. Credential Rotation: If compromise is suspected, rotate all service accounts, ESXi host credentials, and SSO credentials managed by the affected vCenter instance.

Detection

  • Network Signatures: Monitor for unexpected POST requests to vSAN Health Check URLs from non-administrative IP ranges.
  • Host-Based: Alert on unusual child processes spawned by the vCenter Server service (e.g., /bin/sh, bash, cmd.exe, PowerShell).
  • Log Analysis: Look for authentication bypass attempts and anomalous API activity in vCenter logs (/var/log/vmware/).
  • Threat Intelligence: Cross-reference inbound IPs against known exploit frameworks (e.g., VulnCheck, GreyNoise) for CVE-2021-21985 activity.

Assessment

This vulnerability is a textbook example of why unauthenticated RCE in management planes is so devastating. With an EPSS of 0.99999 and confirmed active exploitation by threat actors (CISA KEV, EUVD), the probability of in-the-wild exploitation is near-certain. The attack complexity is low, no privileges are required, and the blast radius is the entire virtual infrastructure.

Key lessons:

  1. Default-enabled plugins are attack surface. The vSAN Health Check plug-in is enabled by default; any such feature should be regularly audited for security posture.
  2. Management planes must be on isolated networks. vCenter Server should never be reachable from untrusted or internet-facing networks. If it is, assume compromise is imminent.

References

Frequently asked questions

What is CVE-2021-21985?
The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
How severe is CVE-2021-21985?
CVE-2021-21985 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2021-21985 being actively exploited?
Yes. CVE-2021-21985 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-21985?
CVE-2021-21985 primarily affects Vmware Vcenter Server. In total, 52 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2021-21985?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-21985 have an EU (EUVD) identifier?
Yes. CVE-2021-21985 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-9156. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2021-21985 published?
CVE-2021-21985 was published on 2021-05-26 and last updated on 2026-06-17.

References

Affected products (52)

More vulnerabilities in Vmware Vcenter Server

All CVEs affecting Vmware Vcenter Server →

Other CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities

Browse all CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities →