CVE-2021-22005

CVE-2021-22005 is a critical-severity vulnerability in Vmware Cloud Foundation with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-22.

Key facts

Description

The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.

CVE-2021-22005: VMware vCenter Server Arbitrary File Upload in Analytics Service

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2021-22005
CVSS v3 9.8 (CRITICAL)
CVSS v2 7.5
EPSS 0.99999 (99.998th percentile)
KEV Yes (added 2021-11-03)
CWE CWE-22 (Improper Limitation of a Pathname to a Restricted Directory / Path Traversal)
Vendor VMware

Summary

VMware vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.

Background

VMware vCenter Server is a centralized management platform for VMware vSphere environments, providing a single pane of glass for virtual infrastructure administration. The Analytics service, part of the Customer Experience Improvement Program (CEIP) infrastructure, handles telemetry and diagnostic data collection. This service was found to improperly validate file upload paths, leading to a critical security flaw.

Root Cause

The vulnerability is classified under CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal). The Analytics service fails to properly sanitize or restrict the destination path of uploaded files. An attacker can manipulate the file upload request to write files to arbitrary locations on the vCenter Server filesystem, such as web-accessible directories or startup folders, leading to remote code execution.

Impact

With a CVSS v3 score of 9.8 (CRITICAL), this vulnerability is network-exploitable with low attack complexity, requiring no authentication or user interaction:

  • Confidentiality Impact: HIGH — attacker can access sensitive data on the server
  • Integrity Impact: HIGH — attacker can modify system files and configurations
  • Availability Impact: HIGH — attacker can disrupt services or deploy persistent backdoors

The CVSS v2 score of 7.5 and the EPSS of 0.99999 (99.998th percentile) both indicate this is an actively and widely exploited vulnerability.

Exploitation Walkthrough

⚠️ Ethics Notice: This section describes the attack conceptually for defensive purposes only. Do not attempt to exploit systems without explicit authorization. Accessing computer systems without permission is illegal in most jurisdictions.

The attack flow is conceptually straightforward:

  1. Reconnaissance: The attacker identifies a vCenter Server instance exposing port 443 with the Analytics (CEIP) service enabled.
  2. Path Traversal Abuse: The attacker crafts a multipart file upload request containing path traversal sequences (e.g., ../../) in the filename or path parameter, targeting a directory where the uploaded file will be interpreted or executed by the server.
  3. Remote Code Execution: By writing a file to a web shell path, a scheduled task directory, or another execution context, the attacker achieves arbitrary code execution with the privileges of the vCenter Server process.

No authentication or user interaction is required, making this vulnerability trivially exploitable by anyone with network access.

Affected and Patched Versions

Affected products (based on CPE data):

  • VMware vCenter Server 6.5
  • VMware vCenter Server 6.7
  • VMware vCenter Server 7.0
  • VMware Cloud Foundation

Patched versions: Specific patched versions are not available in the source data. Administrators should consult VMware Security Advisory VMSA-2021-0020 for the latest patched releases and upgrade paths.

Remediation

  1. Upgrade immediately: Apply the patches provided in VMware Security Advisory VMSA-2021-0020. Given the KEV status and near-certain exploitation probability (EPSS 0.99999), patching should be treated as an emergency change.
  2. Compensating controls (if immediate patching is not possible):
    • Restrict network access to vCenter Server port 443 to trusted administrative hosts only (firewall rules / network segmentation).
    • Disable the Analytics/CEIP service if not required.
    • Monitor for unauthorized file uploads and suspicious file modifications.
    • Deploy Web Application Firewall (WAF) rules to detect and block path traversal sequences in file upload requests.

Detection

Defenders should monitor for:

  • Unusual HTTP POST requests to Analytics/CEIP endpoints containing multipart file uploads.
  • File system changes in web directories or other sensitive paths on the vCenter Server.
  • Outbound network connections initiated by the vCenter Server process.
  • Anomalous authentication or authorization events following file upload activity.
  • Correlation with CISA KEV catalog entry (added 2021-11-03).

Assessment

This vulnerability represents a textbook example of how a single missing input validation check (path sanitization on file uploads) can lead to full remote compromise of a critical infrastructure component. With an EPSS of 0.99999 and confirmed inclusion in both the CISA KEV and EUVD catalogs, exploitation is not theoretical — it is a near-certainty for exposed instances.

Key lessons:

  1. File upload functionality must always validate and restrict both the file content and the destination path. Path traversal protections should be implemented at multiple layers.
  2. Critical infrastructure management platforms like vCenter Server should never be directly exposed to untrusted networks. Network segmentation remains one of the most effective compensating controls when patching is delayed.

References

Frequently asked questions

What is CVE-2021-22005?
The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.
How severe is CVE-2021-22005?
CVE-2021-22005 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2021-22005 being actively exploited?
Yes. CVE-2021-22005 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-22005?
CVE-2021-22005 primarily affects Vmware Cloud Foundation. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2021-22005?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-22005 have an EU (EUVD) identifier?
Yes. CVE-2021-22005 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-9174. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2021-22005 published?
CVE-2021-22005 was published on 2021-09-23 and last updated on 2026-06-17.

References

Affected products (4)

More vulnerabilities in Vmware Cloud Foundation

All CVEs affecting Vmware Cloud Foundation →

Other CWE-22 (Path Traversal) vulnerabilities

Browse all CWE-22 (Path Traversal) vulnerabilities →