CVE-2021-21972 Overview
CVE-2021-21972 is a critical remote code execution vulnerability affecting the vSphere Client (HTML5) component of VMware vCenter Server. The vulnerability exists within a vCenter Server plugin and allows a malicious actor with network access to port 443 to execute arbitrary commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
This vulnerability is particularly dangerous because it requires no authentication and can be exploited remotely over the network. Given that vCenter Server is a central management platform for VMware virtualized environments, successful exploitation could give attackers complete control over an organization's entire virtual infrastructure, including all managed ESXi hosts and virtual machines.
Critical Impact
Unauthenticated remote code execution with root/SYSTEM privileges on vCenter Server, enabling complete compromise of virtualized infrastructure.
Affected Products
- VMware vCenter Server 7.x before 7.0 U1c
- VMware vCenter Server 6.7 before 6.7 U3l
- VMware vCenter Server 6.5 before 6.5 U3n
- VMware Cloud Foundation 4.x before 4.2
- VMware Cloud Foundation 3.x before 3.10.1.2
Discovery Timeline
- February 24, 2021 - CVE-2021-21972 published to NVD
- October 30, 2025 - Last updated in NVD database
Technical Details for CVE-2021-21972
Vulnerability Analysis
The vulnerability resides in the vRealize Operations (vROps) vCenter plugin, which is installed by default on vCenter Server regardless of whether vRealize Operations is actually in use. The vulnerable endpoint /ui/vropspluginui/rest/services/uploadova is accessible without authentication and allows arbitrary file upload via path traversal.
The root cause is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, also known as Path Traversal). Attackers can craft malicious HTTP requests that include path traversal sequences to write arbitrary files to any location on the filesystem. On Linux-based vCenter Server Appliance (VCSA), attackers can upload SSH keys or cron jobs to achieve code execution. On Windows-based vCenter installations, attackers can write files to the webroot to deploy web shells.
This vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. The availability of public exploit code on ExploitDB has significantly lowered the barrier for attackers.
Root Cause
The vulnerability stems from insufficient input validation in the file upload functionality of the vROps plugin. The plugin fails to properly sanitize the file path parameter in upload requests, allowing attackers to use directory traversal sequences (such as ../) to escape the intended upload directory and write files to arbitrary locations on the server's filesystem.
The vulnerable endpoint processes multipart form data for OVA file uploads but does not validate that the destination path remains within expected boundaries. This allows an attacker to specify a crafted filename containing path traversal characters that resolve to sensitive system directories.
Attack Vector
The attack is network-based and requires no prior authentication. An attacker needs only network access to port 443 (HTTPS) on the vCenter Server to exploit this vulnerability. The attack flow typically involves:
- The attacker sends a crafted HTTP POST request to the vulnerable /ui/vropspluginui/rest/services/uploadova endpoint
- The request contains path traversal sequences in the filename parameter to escape the upload directory
- The malicious file is written to an attacker-controlled location on the filesystem
- Depending on the operating system, the attacker achieves code execution through SSH key injection (Linux) or web shell deployment (Windows)
The exploitation does not require any user interaction, making this vulnerability particularly severe. Successful exploitation results in command execution with the privileges of the vCenter Server process, which typically runs as root on Linux (VCSA) or SYSTEM on Windows.
Detection Methods for CVE-2021-21972
Indicators of Compromise
- HTTP POST requests to /ui/vropspluginui/rest/services/uploadova from external or unexpected IP addresses
- Presence of unauthorized files in system directories such as /root/.ssh/authorized_keys on VCSA or web shells in the vCenter web directories
- Unexpected SSH connections or new cron jobs on VCSA appliances
- Suspicious process execution originating from the vCenter Server service
Detection Strategies
- Monitor web server access logs for requests containing path traversal patterns targeting the /ui/vropspluginui/rest/services/uploadova endpoint
- Implement network intrusion detection rules to identify exploitation attempts containing characteristic path traversal sequences
- Deploy file integrity monitoring on critical system directories to detect unauthorized file creation or modification
- Review authentication logs for unexpected SSH key-based logins following potential exploitation windows
Monitoring Recommendations
- Enable detailed logging on vCenter Server and forward logs to a SIEM for centralized analysis and alerting
- Configure alerts for any access to the vulnerable vROps plugin endpoints from non-administrative networks
- Monitor outbound network connections from vCenter Server for potential command-and-control communication
- Implement behavioral analysis to detect anomalous process execution patterns on vCenter systems
How to Mitigate CVE-2021-21972
Immediate Actions Required
- Apply the appropriate VMware security patch immediately based on your vCenter Server version (7.0 U1c, 6.7 U3l, or 6.5 U3n)
- If immediate patching is not possible, implement the workaround by disabling the vulnerable vROps plugin
- Restrict network access to vCenter Server port 443 to only authorized management networks and administrators
- Conduct forensic review of vCenter systems to identify any signs of prior exploitation
Patch Information
VMware has released security patches addressing CVE-2021-21972 in the following versions:
- vCenter Server 7.0: Update to version 7.0 U1c or later
- vCenter Server 6.7: Update to version 6.7 U3l or later
- vCenter Server 6.5: Update to version 6.5 U3n or later
- VMware Cloud Foundation 4.x: Update to version 4.2 or later
- VMware Cloud Foundation 3.x: Update to version 3.10.1.2 or later
Refer to the VMware Security Advisory VMSA-2021-0002 for detailed patching instructions and additional security guidance.
Workarounds
- Disable the vROps plugin by setting the plugin's compatibility matrix file to incompatible status as described in VMware KB 82374
- Implement network segmentation to restrict access to vCenter management interfaces from untrusted networks
- Deploy a web application firewall (WAF) with rules to block requests containing path traversal sequences targeting vCenter endpoints
- Consider placing vCenter Server behind a VPN or jump host to limit direct network exposure
# Workaround: Disable vROps plugin on vCenter Server Appliance (VCSA)
# Navigate to the plugin directory and make compatibility file incompatible
cd /etc/vmware/vsphere-ui/vc-packages/vsphere-client-serenity/
# Backup and modify the compatibility matrix
cp com.vmware.vrops.install-*-manifest.zip /tmp/backup/
# Remove or disable the vROps plugin package
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
