Search
On this page ▾
CVE-2021-1497 — Cisco HyperFlex HX Installer Virtual Machine Command Injection Vulnerability

CVE-2021-1497

Cisco HyperFlex HX — Unauthenticated OS Command Injection in Installer VM Web Service Enabling Root Code Execution on Hyperconverged Infrastructure
🔥 CVSS 3.1  9.8 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

What is Cisco HyperFlex HX?

Cisco HyperFlex is Cisco's hyperconverged infrastructure (HCI) platform, combining compute, storage, and networking into a single integrated system managed through a centralized software-defined fabric. HyperFlex clusters are deployed in enterprise data centers as an alternative to traditional three-tier infrastructure, managing virtual machines and workloads across all cluster nodes. The Installer Virtual Machine (Installer VM) is a temporary deployment appliance used during HyperFlex cluster setup and expansion — it provides a web-based workflow for configuring new nodes. Even though the Installer VM is intended for temporary use, many deployments leave it running after initial setup. See also CVE-2021-1498 for the companion vulnerability in the HyperFlex HX Data Platform management web service.

Overview

CVE-2021-1497 is an OS command injection vulnerability (CWE-78) in the web-based management service of the Cisco HyperFlex HX Installer Virtual Machine. The Installer VM's web service accepts POST parameters for cluster configuration that are passed to OS commands without adequate sanitization. An unauthenticated remote attacker can inject arbitrary OS commands via these parameters, achieving code execution as root on the Installer VM. Cisco addressed this vulnerability alongside the companion CVE-2021-1498 in Security Advisory cisco-sa-hyperflex-rce-TjjNrkpR in May 2021.

Affected Versions

Product Vulnerable Fixed
HyperFlex HX Data Platform 4.0(x) Yes 4.0(2b)
HyperFlex HX Data Platform 4.5(x) Yes 4.5(1a)
HyperFlex HX Data Platform 3.5(x) and earlier Yes See Cisco advisory

Technical Details

The Cisco HyperFlex Installer VM provides a REST/web API for cluster installation and node configuration tasks. Input parameters submitted to these installation endpoints are processed by underlying shell scripts:

  • Root cause: OS command injection (CWE-78) — the Installer VM web service passes user-supplied configuration parameters (such as hostnames, IP addresses, or configuration values) to shell commands without filtering metacharacters
  • Injection vector: Specially crafted POST parameters containing shell metacharacters (;, &&, |, $(...)) cause the web service to execute additional attacker-controlled commands
  • Authentication required: None — the Installer VM web service is accessible without authentication since it is designed to function before cluster authentication is established
  • Execution context: Commands execute as root on the Installer VM operating system, giving full control of the appliance
  • Distinction from CVE-2021-1498: CVE-2021-1497 affects the Installer VM specifically; CVE-2021-1498 affects the HX Data Platform web service and runs as the tomcat8 user rather than root

Discovery

Reported to Cisco by external security researchers. Cisco PSIRT coordinated disclosure and released patches in May 2021 covering both CVE-2021-1497 and CVE-2021-1498 simultaneously.

Exploitation Context

HyperFlex Installer VMs left running after initial cluster deployment represent an unnecessary and highly-privileged attack surface. Root access to the Installer VM provides access to HyperFlex cluster credentials and configuration data stored during the installation process, which can be used for further lateral movement into the HyperFlex cluster and connected infrastructure. Cisco HyperFlex clusters in enterprise data centers often manage production workloads across many virtual machines — an attacker with cluster-level access can affect all managed VMs.

Remediation

  1. Apply patches per Cisco Security Advisory cisco-sa-hyperflex-rce-TjjNrkpR — update HyperFlex HX Data Platform to 4.0(2b), 4.5(1a), or later
  2. Power off or decommission the Installer VM if HyperFlex cluster installation is complete — the Installer VM should not remain running in production environments
  3. If the Installer VM must remain running for administrative purposes, restrict network access to it via ACLs or firewall rules — it should only be reachable from authorized administrator workstations
  4. Verify that no internet-facing network path exists to the Installer VM's web service
  5. Review Installer VM logs for unexpected POST requests to the cluster configuration API from unauthorized sources
  6. After patching, audit HyperFlex cluster credentials and rotate any credentials that may have been accessible via the Installer VM

Key Details

PropertyValue
CVE ID CVE-2021-1497
Vendor / Product Cisco — HyperFlex HX
NVD Published2021-05-06
NVD Last Modified2025-10-28
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-78 find similar ↗
CISA KEV Added2021-11-03
CISA KEV Deadline2021-11-17
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2021-11-17. Apply updates per vendor instructions.

Timeline

DateEvent
2021-05-05Cisco releases patches for CVE-2021-1497 and CVE-2021-1498; Cisco Security Advisory cisco-sa-hyperflex-rce-TjjNrkpR published
2021-05-06CVE published
2021-11-03Added to CISA Known Exploited Vulnerabilities catalog
2021-11-17CISA BOD 22-01 remediation deadline

References

ResourceType
Cisco Security Advisory cisco-sa-hyperflex-rce-TjjNrkpR Vendor Advisory
NVD — CVE-2021-1497 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML