What is VMware vCenter Server?
VMware vCenter Server is the centralized management platform for VMware vSphere environments, providing a single pane of glass for managing ESXi hypervisors, virtual machines, storage, and networking across enterprise data centers. vCenter holds the keys to an organization's entire virtualized infrastructure — an attacker with RCE on vCenter can create or delete VMs, access their disk images, extract data from running workloads, and deploy malware across all managed systems simultaneously. vCenter servers are frequently deployed with management interfaces accessible from enterprise networks or, in misconfigured deployments, from the internet. See also CVE-2021-21985 for the companion vSAN Health Check RCE discovered in May 2021.
Overview
CVE-2021-21972 is an unauthenticated remote code execution vulnerability (CWE-22, path traversal) in the vSphere Client plugin for vRealize Operations Manager. The plugin is included with all vCenter Server installations but is only fully functional when vRealize Operations is also deployed. The vulnerable endpoint at /ui/vropspluginui/rest/services/uploadova allows file upload without authentication, and the path traversal enables writing files outside the intended directory — resulting in webshell deployment and code execution. VMware released patches in February 2021, but proof-of-concept code was published within days, triggering mass exploitation. Shodan and Censys analysis at the time identified approximately 6,700 internet-accessible vCenter servers.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| vCenter Server 7.0 before 7.0 U1c | Yes | 7.0 U1c |
| vCenter Server 6.7 before 6.7 U3l | Yes | 6.7 U3l |
| vCenter Server 6.5 before 6.5 U3n | Yes | 6.5 U3n |
| Cloud Foundation 4.x | Yes | 4.2 |
| Cloud Foundation 3.x | Yes | 3.10.1.2 |
Technical Details
The vRealize Operations Manager Integration plugin in vCenter Server's HTML5 client exposes a file upload endpoint that is accessible without authentication:
- Root cause: Path traversal (CWE-22) combined with an unauthenticated file upload endpoint — the
/ui/vropspluginui/rest/services/uploadovaendpoint accepts file uploads without requiring authentication, and the uploaded file path is not properly sanitized, allowing writes to arbitrary server directories - Webshell deployment: An attacker uploads a JSP webshell to the vCenter web server's deployment directory, then accesses it via HTTP to execute commands on the vCenter Server OS
- Authentication required: None — the upload endpoint is accessible before any authentication challenge
- Execution context: Commands execute as the user running the vCenter Server application service, which typically has broad system access on the vCenter Server Appliance (VCSA)
- Companion vulnerability: CVE-2021-21973 (SSRF) was disclosed in the same advisory but is a lower-severity information disclosure that requires authentication
Discovery
Discovered by Mikhail Klyuchnikov of Positive Technologies, who reported the vulnerability to VMware. Proof-of-concept exploit code was published almost immediately after VMware's advisory, triggering rapid mass scanning.
Exploitation Context
The same-day PoC publication and immediate mass scanning made CVE-2021-21972 one of the fastest-weaponized vulnerabilities of 2021. Ransomware groups including DarkSide and others exploited vCenter access for bulk VM encryption — a single vCenter compromise enables simultaneous encryption of all managed VMs using ESXi-level commands, far more efficient than individually targeting each VM. NSA included CVE-2021-21972 in advisories about top routinely exploited vulnerabilities. The 6,700 internet-exposed vCenter servers identified at disclosure time represent a substantial standing attack surface, with many deployments remaining unpatched for months.
Remediation
- Apply patches per VMSA-2021-0002 — update to vCenter 7.0 U1c, 6.7 U3l, or 6.5 U3n as appropriate
- If immediate patching is not possible, apply VMware's workaround: restrict access to the
/ui/vropspluginui/URL path at the firewall or load balancer level - Restrict vCenter management interface network access — vCenter should never be directly accessible from the internet. Place it on a management network accessible only via VPN or jump host
- After patching, search for JSP webshells in vCenter Server web deployment directories:
$VMWARE_PYTHON_BIN/find / -name "*.jsp" -newer /etc/vmware-vpx/vpxd.cfgor equivalent - Review vCenter audit logs for unauthorized API calls and VM management operations
- Audit all VMs for unauthorized snapshots or clones that may have been taken to exfiltrate disk contents
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-21972 |
| Vendor / Product | VMware — vCenter Server |
| NVD Published | 2021-02-24 |
| NVD Last Modified | 2025-10-30 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-22 find similar ↗ |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2021-11-17 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-02-23 | VMware releases VMSA-2021-0002 patching CVE-2021-21972 and CVE-2021-21973 |
| 2021-02-24 | CVE published; proof-of-concept exploit published the same day |
| 2021-02-24 | Mass scanning for vulnerable vCenter servers begins within hours of PoC publication; ~6,700 internet-exposed vCenter servers identified |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2021-11-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| VMware Security Advisory VMSA-2021-0002 | Vendor Advisory |
| Tenable — CVE-2021-21972 VMware vCenter Server RCE | Security Research |
| NVD — CVE-2021-21972 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |