Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2021-22049

CVE-2021-22049: VMware vCenter Server SSRF Vulnerability

CVE-2021-22049 is a server-side request forgery flaw in VMware vCenter Server's vSAN Web Client plug-in that allows attackers to access unauthorized URLs. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2021-22049 Overview

The vSphere Web Client (FLEX/Flash) contains a Server-Side Request Forgery (SSRF) vulnerability in the vSAN Web Client (vSAN UI) plug-in. A malicious actor with network access to port 443 on vCenter Server may exploit this issue by accessing a URL request outside of vCenter Server or accessing an internal service. This vulnerability affects organizations running VMware vCenter Server infrastructure and could allow attackers to pivot through the vCenter Server to reach otherwise inaccessible internal resources.

Critical Impact

Unauthenticated remote attackers with network access to port 443 can exploit this SSRF vulnerability to access internal services or make requests to external URLs, potentially leading to information disclosure, internal network reconnaissance, or further exploitation of backend systems.

Affected Products

  • VMware vCenter Server 6.5
  • VMware vCenter Server 6.7
  • VMware vCenter Server 7.0

Discovery Timeline

  • 2021-11-24 - CVE CVE-2021-22049 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-22049

Vulnerability Analysis

This vulnerability is classified under CWE-918 (Server-Side Request Forgery), which occurs when a web application fetches a remote resource without properly validating the user-supplied URL. In the context of VMware vCenter Server, the vSAN Web Client plugin processes URL requests in an insecure manner, allowing attackers to manipulate requests to access arbitrary URLs.

The SSRF vulnerability in the vSAN UI plugin enables attackers to bypass network segmentation controls typically protecting internal infrastructure. Since vCenter Server often occupies a privileged network position with access to management interfaces and internal services, successful exploitation can provide attackers with a powerful pivot point for lateral movement.

Root Cause

The root cause of this vulnerability lies in the vSAN Web Client (vSAN UI) plugin's failure to properly validate and sanitize user-supplied URLs before processing server-side requests. The plugin accepts URL parameters from users and makes HTTP requests to those URLs from the server context without adequate restrictions on the target destinations or protocols.

This insufficient input validation allows attackers to craft malicious requests that force the vCenter Server to act as a proxy, making requests to internal resources, cloud metadata services, or external attacker-controlled servers on behalf of the vulnerable system.

Attack Vector

The attack vector for CVE-2021-22049 is network-based, requiring only network connectivity to port 443 on the vulnerable vCenter Server. No authentication is required to exploit this vulnerability, and no user interaction is necessary.

An attacker can exploit this vulnerability by:

  1. Identifying a vCenter Server accessible over the network on port 443
  2. Crafting HTTP requests to the vSAN Web Client plugin with malicious URL parameters
  3. Forcing the server to make requests to internal services (e.g., http://localhost:PORT/, internal IP ranges)
  4. Extracting sensitive information from responses or using the server to scan internal networks

The vulnerability allows attackers to reach services that may not be directly accessible from their network position, including internal APIs, cloud metadata endpoints, and management interfaces protected by firewall rules.

Detection Methods for CVE-2021-22049

Indicators of Compromise

  • Unusual outbound HTTP/HTTPS requests from vCenter Server to internal IP addresses or localhost
  • Access logs showing requests to the vSAN Web Client plugin with suspicious URL parameters
  • Network traffic from vCenter Server to cloud metadata services (e.g., 169.254.169.254)
  • Error logs indicating failed connections to internal services that vCenter should not normally access

Detection Strategies

  • Monitor vCenter Server access logs for requests to the vSAN UI plugin containing URL parameters pointing to internal addresses
  • Implement network monitoring to detect anomalous connections from vCenter Server to internal services or external destinations
  • Deploy web application firewall rules to inspect and block requests containing SSRF payload patterns
  • Analyze DNS query logs from vCenter Server for unusual domain resolutions

Monitoring Recommendations

  • Enable verbose logging on vCenter Server web services and retain logs for forensic analysis
  • Implement egress filtering on vCenter Server to restrict outbound connections to known legitimate destinations
  • Set up alerts for any vCenter Server connections to RFC 1918 private address ranges that are not part of normal operations
  • Monitor for credential harvesting attempts if cloud metadata services are accessible

How to Mitigate CVE-2021-22049

Immediate Actions Required

  • Apply the latest security patches from VMware immediately to all affected vCenter Server instances
  • Restrict network access to port 443 on vCenter Server to only authorized administrators and management networks
  • Implement network segmentation to limit the impact of potential SSRF exploitation
  • Review firewall rules to prevent vCenter Server from making unnecessary outbound connections

Patch Information

VMware has released security updates to address this vulnerability. Administrators should refer to VMware Security Advisory VMSA-2021-0027 for detailed patch information and update instructions. It is critical to apply these patches promptly given the unauthenticated nature of this vulnerability.

Workarounds

  • If immediate patching is not possible, restrict network access to vCenter Server port 443 using firewall rules to limit exposure
  • Consider disabling the vSAN Web Client plugin if vSAN functionality is not actively used in the environment
  • Implement a reverse proxy or web application firewall in front of vCenter Server to filter malicious requests
  • Enable strict egress filtering to prevent vCenter Server from making requests to internal services or external destinations
bash
# Example firewall rule to restrict vCenter access (iptables)
# Allow only management network to access vCenter HTTPS
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

# Restrict vCenter outbound connections to essential services only
iptables -A OUTPUT -p tcp -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -p tcp -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -p tcp -d 192.168.0.0/16 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne