CVE-2021-21973

What is the vCenter vSphere Client Plugin SSRF?

VMware vCenter Server's vSphere Client (HTML5) includes a plugin framework that loads extensions from registered plugin endpoints. The vSphere Client communicates with plugin backends via HTTP, and certain plugin URL endpoints are accessible without authentication for discovery or validation purposes. When these endpoints do not properly restrict the destination of outbound HTTP requests (CWE-918: Server-Side Request Forgery), an unauthenticated attacker can manipulate the URL to cause vCenter to make HTTP requests to arbitrary internal or external addresses. Since vCenter occupies a central network position with access to vSphere management networks, SSRF from vCenter can reach internal services that would otherwise be inaccessible from the internet.

Overview

CVE-2021-21973 is an SSRF vulnerability (CWE-918) in VMware vCenter Server's vSphere Client plugin validation functionality. Improper validation of URLs in a vCenter plugin allows an unauthenticated network attacker to cause vCenter to make HTTP requests to arbitrary internal addresses, disclosing information about internal services. It was patched in VMSA-2021-0002 on February 23, 2021, alongside the critical CVE-2021-21972 (unauthenticated RCE in the same endpoint path). Because CVE-2021-21972 attracted widespread exploitation and mass scanning, organizations that patched the RCE but not the SSRF (or were already compromised via the RCE path) left CVE-2021-21973 exploitable. CISA added it to KEV in March 2022.

Affected Versions

Technical Details

• Root cause: SSRF (CWE-918) in vCenter's vSphere plugin URL validation — the plugin discovery or test connectivity functionality in the vSphere Client accepts a URL parameter from the client and makes an outbound HTTP request to that URL on behalf of the client; insufficient validation allows the URL to point to internal network addresses (RFC 1918 ranges, localhost, or cloud metadata endpoints)
• Endpoint accessibility: The vulnerable endpoint is accessible without authentication — consistent with a plugin registration or URL validation API that is intended to be reachable during setup flows; this PR:N characteristic makes the SSRF exploitable without any prior compromise
• Internal service exposure: From vCenter's network position (typically in the management VLAN with access to ESXi hosts, storage systems, network management interfaces, and other infrastructure), SSRF can probe: (1) ESXi management interfaces on port 443 or 902, (2) internal IPAM/DNS/NTP services, (3) cloud metadata services (169.254.169.254) for IAM credential theft in cloud deployments, (4) database ports on management systems
• CVE-2021-21972 relationship: CVE-2021-21972 is the critical companion (CVSS 9.8) RCE on the same vCenter endpoint surface; VMSA-2021-0002 patches both simultaneously; organizations that only applied the minimum mitigation for CVE-2021-21972 without full patching may have left CVE-2021-21973 exploitable
• C:L impact: The confidentiality impact is Low (information about internal services via SSRF response variation) but the practical value is higher when used for internal network reconnaissance in preparation for lateral movement

Discovery

VMware patched CVE-2021-21973 alongside CVE-2021-21972 in VMSA-2021-0002 (February 23, 2021). The CVE-2021-21972 RCE was widely reported and attracted mass exploitation; CVE-2021-21973 received less attention despite being patched in the same advisory. CISA's March 2022 KEV addition (one year after patch) reflects persistent exploitation against unpatched or partially patched vCenter deployments.

Exploitation Context

VMware vCenter manages virtualized infrastructure in enterprise and government environments — a successful attack gives access to the hypervisor layer controlling all virtual machines. CVE-2021-21973's SSRF from vCenter is particularly valuable for infrastructure reconnaissance because vCenter sits in management network segments that are isolated from regular corporate networks. Attackers who have performed initial network intrusion and cannot directly reach vSphere management interfaces from their current position can use CVE-2021-21973 to pivot vCenter's network access for internal service discovery, potentially identifying vulnerable services that can be used for further lateral movement.

Remediation

1. Apply VMSA-2021-0002 patches: vCenter 7.0 U1c, 6.7 U3l, 6.5 U3n — patches both CVE-2021-21972 (RCE) and CVE-2021-21973 (SSRF) together
2. If immediate patching is not possible: apply VMware's workaround for VMSA-2021-0002 which involves URL rewrite rules to block the vulnerable plugin endpoint
3. Restrict vCenter Server's network access: only allow connections to vCenter management ports from authorized administrator workstations and management subnets; block internet-facing access to vCenter
4. Apply egress filtering from vCenter to prevent outbound connections to RFC 1918 ranges on non-vSphere ports — limits SSRF utility
5. Enable IMDSv2 on cloud-hosted vCenter instances to prevent SSRF from reaching the metadata service for IAM credential theft
6. Review vCenter access logs for unusual outbound connection attempts indicating SSRF exploitation