CVE-2021-21975

What is VMware vRealize Operations Manager?

VMware vRealize Operations Manager (vROps) is an enterprise IT operations management platform that monitors, analyzes, and optimizes VMware vSphere environments — including ESXi hosts, vCenter servers, virtual machines, and storage/network infrastructure. vROps has deep integration with the virtualization infrastructure it manages: it has privileged access to vCenter credentials, VM configurations, and management APIs across the entire virtualized environment. Because vROps is a management plane component with broad infrastructure access, compromising it can provide attackers with visibility into and control over the entire virtualized environment — making it a high-value target for ransomware operators and nation-state actors. The vROps API exposes management functionality over HTTP, creating an attack surface accessible from any network with connectivity to the vROps instance.

Overview

CVE-2021-21975 is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) in the VMware vRealize Operations Manager API. An unauthenticated attacker with network access to the vROps API can send crafted requests that cause the vROps server to make outbound HTTP requests to attacker-specified URLs — including the vROps server's own localhost API — enabling the attacker to steal administrative credentials. Chained with CVE-2021-21983 (an arbitrary file write vulnerability), the SSRF credential theft provides authentication for writing a web shell to the vROps server. VMware patched both CVEs in VMSA-2021-0004 in March 2021. CISA added CVE-2021-21975 to the KEV catalog in January 2022.

Affected Versions

Technical Details

• Root cause: Server-Side Request Forgery (CWE-918) in the vROps API — an unauthenticated API endpoint accepts a URL parameter and causes the vROps server to issue an outbound HTTP request to the specified URL; by targeting the vROps server's localhost management API, the attacker can access administrative API endpoints that are not directly network-accessible
• Credential theft: The localhost vROps API exposes administrative credential information; by using the SSRF to proxy requests through the vROps server to its own localhost API, an attacker can retrieve admin credentials — typically vCenter and infrastructure account credentials stored in vROps configuration
• Exploit chain with CVE-2021-21983: (1) CVE-2021-21975 (SSRF) retrieves vROps admin credentials; (2) CVE-2021-21983 (arbitrary file write, requiring auth) uses the stolen credentials to write a web shell to the vROps file system → full RCE on the management platform
• Infrastructure access cascade: vROps admin credentials often include vCenter admin credentials and other infrastructure management accounts; code execution on vROps provides a pivot point into the entire VMware infrastructure
• Ransomware use: Ransomware operators targeting VMware environments (ESXiArgs, BlackCat/ALPHV, etc.) seek management plane access to deploy ransomware across many VMs simultaneously; vROps compromise provides this capability

Discovery

Reported to VMware and patched in VMSA-2021-0004 in March 2021. Researchers at the Positive Technologies security firm were credited with the discovery. The January 2022 CISA KEV addition reflects confirmed exploitation in the nine months after the patch was available.

Exploitation Context

VMware management platform vulnerabilities are prime targets for ransomware operators because they provide access to the virtualization control plane — a position from which attackers can encrypt or destroy many VMs simultaneously. CVE-2021-21975's SSRF → credential theft is the entry point for a complete vROps compromise chain that ends with code execution on the management server and access to vCenter credentials. Organizations with unpatched vROps instances exposed on corporate networks (even without internet exposure) remained vulnerable to internal threat actors or attackers who had already gained internal network access.

Remediation

1. Apply VMware VMSA-2021-0004 patches for vRealize Operations Manager — upgrade to version 8.4.0 or apply the available hotfixes for earlier versions
2. Restrict network access to the vROps API — the vROps management interface should not be accessible from untrusted network segments; place behind a firewall allowing access only from administrator workstations and management networks
3. Rotate all credentials stored in vROps after patching — if exploitation is suspected, vCenter passwords and other infrastructure credentials should be changed
4. Audit vROps for indicators of compromise: unexpected files in the web application directory, unusual outbound connections from vROps, anomalous API access in vROps logs
5. Apply CVE-2021-21983 patch simultaneously — the two CVEs form an exploitation chain; patching only one does not prevent full compromise
6. Implement monitoring for SSRF indicators: anomalous outbound HTTP requests from the vROps server to internal addresses, particularly localhost API calls