CVE-2021-22005
CVE-2021-22005 is a critical-severity vulnerability in Vmware Cloud Foundation with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-22.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 7.5
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2021-9174
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-22
- Affected product: Vmware Cloud Foundation
- Published:
- Last modified:
Description
The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.
CVE-2021-22005: VMware vCenter Server Arbitrary File Upload in Analytics Service
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2021-22005 |
| CVSS v3 | 9.8 (CRITICAL) |
| CVSS v2 | 7.5 |
| EPSS | 0.99999 (99.998th percentile) |
| KEV | Yes (added 2021-11-03) |
| CWE | CWE-22 (Improper Limitation of a Pathname to a Restricted Directory / Path Traversal) |
| Vendor | VMware |
Summary
VMware vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.
Background
VMware vCenter Server is a centralized management platform for VMware vSphere environments, providing a single pane of glass for virtual infrastructure administration. The Analytics service, part of the Customer Experience Improvement Program (CEIP) infrastructure, handles telemetry and diagnostic data collection. This service was found to improperly validate file upload paths, leading to a critical security flaw.
Root Cause
The vulnerability is classified under CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal). The Analytics service fails to properly sanitize or restrict the destination path of uploaded files. An attacker can manipulate the file upload request to write files to arbitrary locations on the vCenter Server filesystem, such as web-accessible directories or startup folders, leading to remote code execution.
Impact
With a CVSS v3 score of 9.8 (CRITICAL), this vulnerability is network-exploitable with low attack complexity, requiring no authentication or user interaction:
- Confidentiality Impact: HIGH — attacker can access sensitive data on the server
- Integrity Impact: HIGH — attacker can modify system files and configurations
- Availability Impact: HIGH — attacker can disrupt services or deploy persistent backdoors
The CVSS v2 score of 7.5 and the EPSS of 0.99999 (99.998th percentile) both indicate this is an actively and widely exploited vulnerability.
Exploitation Walkthrough
⚠️ Ethics Notice: This section describes the attack conceptually for defensive purposes only. Do not attempt to exploit systems without explicit authorization. Accessing computer systems without permission is illegal in most jurisdictions.
The attack flow is conceptually straightforward:
- Reconnaissance: The attacker identifies a vCenter Server instance exposing port 443 with the Analytics (CEIP) service enabled.
- Path Traversal Abuse: The attacker crafts a multipart file upload request containing path traversal sequences (e.g.,
../../) in the filename or path parameter, targeting a directory where the uploaded file will be interpreted or executed by the server. - Remote Code Execution: By writing a file to a web shell path, a scheduled task directory, or another execution context, the attacker achieves arbitrary code execution with the privileges of the vCenter Server process.
No authentication or user interaction is required, making this vulnerability trivially exploitable by anyone with network access.
Affected and Patched Versions
Affected products (based on CPE data):
- VMware vCenter Server 6.5
- VMware vCenter Server 6.7
- VMware vCenter Server 7.0
- VMware Cloud Foundation
Patched versions: Specific patched versions are not available in the source data. Administrators should consult VMware Security Advisory VMSA-2021-0020 for the latest patched releases and upgrade paths.
Remediation
- Upgrade immediately: Apply the patches provided in VMware Security Advisory VMSA-2021-0020. Given the KEV status and near-certain exploitation probability (EPSS 0.99999), patching should be treated as an emergency change.
- Compensating controls (if immediate patching is not possible):
- Restrict network access to vCenter Server port 443 to trusted administrative hosts only (firewall rules / network segmentation).
- Disable the Analytics/CEIP service if not required.
- Monitor for unauthorized file uploads and suspicious file modifications.
- Deploy Web Application Firewall (WAF) rules to detect and block path traversal sequences in file upload requests.
Detection
Defenders should monitor for:
- Unusual HTTP POST requests to Analytics/CEIP endpoints containing multipart file uploads.
- File system changes in web directories or other sensitive paths on the vCenter Server.
- Outbound network connections initiated by the vCenter Server process.
- Anomalous authentication or authorization events following file upload activity.
- Correlation with CISA KEV catalog entry (added 2021-11-03).
Assessment
This vulnerability represents a textbook example of how a single missing input validation check (path sanitization on file uploads) can lead to full remote compromise of a critical infrastructure component. With an EPSS of 0.99999 and confirmed inclusion in both the CISA KEV and EUVD catalogs, exploitation is not theoretical — it is a near-certainty for exposed instances.
Key lessons:
- File upload functionality must always validate and restrict both the file content and the destination path. Path traversal protections should be implemented at multiple layers.
- Critical infrastructure management platforms like vCenter Server should never be directly exposed to untrusted networks. Network segmentation remains one of the most effective compensating controls when patching is delayed.
References
Frequently asked questions
- What is CVE-2021-22005?
- The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.
- How severe is CVE-2021-22005?
- CVE-2021-22005 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2021-22005 being actively exploited?
- Yes. CVE-2021-22005 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-22005?
- CVE-2021-22005 primarily affects Vmware Cloud Foundation. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-22005?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-22005 have an EU (EUVD) identifier?
- Yes. CVE-2021-22005 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-9174. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2021-22005 published?
- CVE-2021-22005 was published on 2021-09-23 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/164439/VMware-vCenter-Server-Analytics-CEIP-Service-File-Upload.html
- https://www.vmware.com/security/advisories/VMSA-2021-0020.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22005
Affected products (4)
- cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.5:-:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:6.7:-:*:*:*:*:*:*
- cpe:2.3:a:vmware:vcenter_server:7.0:-:*:*:*:*:*:*
More vulnerabilities in Vmware Cloud Foundation
- CVE-2023-34063 — Critical (CVSS 9.9): Aria Automation contains a Missing Access Control vulnerability. An authenticated malicious actor may exploit this…
- CVE-2024-38812 — Critical (CVSS 9.8): The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious…
- CVE-2024-37079 — Critical (CVSS 9.8): vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor…
- CVE-2023-20864 — Critical (CVSS 9.8): VMware Aria Operations for Logs contains a deserialization vulnerability. An unauthenticated, malicious actor with…
- CVE-2022-22972 — Critical (CVSS 9.8): VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability…
- CVE-2022-22954 — Critical (CVSS 9.8): VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side…
All CVEs affecting Vmware Cloud Foundation →
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…