What is VMware vCenter Server?
VMware vCenter Server is the centralized management platform for VMware vSphere virtualization infrastructure, used by enterprises and government agencies to manage ESXi hypervisors, virtual machines, storage, and networking across entire data centers. vCenter is the command-and-control hub for virtualized infrastructure — an attacker with unauthenticated RCE on vCenter can immediately take control of all virtual machines in the environment, exfiltrate data from running VMs, and deploy malware across the entire virtualized estate. This makes vCenter one of the highest-value targets in enterprise environments. See also CVE-2021-22005 for another critical vCenter RCE from later in 2021.
Overview
CVE-2021-21985 is an improper input validation vulnerability (CWE-918) in the vSAN Health Check plugin included with VMware vCenter Server. The vSAN Health Check plugin is enabled by default in all vCenter Server installations — even those that do not use vSAN storage. An unauthenticated attacker with network access to the vCenter Server management interface (port 443) can exploit this vulnerability to execute arbitrary commands on the underlying operating system. VMware released VMSA-2021-0010 with patches in May 2021. Ransomware groups including Conti, DarkSide, and BlackMatter exploited this vulnerability to gain administrative control over enterprise vSphere environments.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| vCenter Server 7.0 before 7.0 U2b | Yes | 7.0 U2b |
| vCenter Server 6.7 before 6.7 U3n | Yes | 6.7 U3n |
| vCenter Server 6.5 before 6.5 U3p | Yes | 6.5 U3p |
| Cloud Foundation 4.x (vCenter 7.0) | Yes | 4.2.1 |
| Cloud Foundation 3.x (vCenter 6.5) | Yes | 3.10.2.1 |
Technical Details
The vSAN Health Check plugin (enabled by default) processes HTTP requests through the vSphere Client web interface. The plugin's request handler performs insufficient validation of attacker-controlled input parameters:
- Root cause: Improper input validation (CWE-918) in the vSAN Health Check plugin's request processing — the plugin passes attacker-controlled parameters to backend operations without adequate sanitization
- Default-enabled risk: The vSAN Health Check plugin is active in all vCenter installations regardless of whether vSAN is deployed — every unpatched vCenter server is vulnerable, not just those using vSAN storage
- Network access: The vulnerability is exploitable via HTTPS on the standard vCenter management port (443) with no authentication required
- Code execution: Successful exploitation grants OS-level command execution in the context of the VMware service account, which typically has broad system privileges on the vCenter Appliance (VCSA)
- Companion vulnerability: CVE-2021-21986 (a separate authentication bypass in the same advisory) affects the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plugins
Discovery
Reported to VMware by multiple external security researchers. VMware credited the reporters in VMSA-2021-0010 and released patches proactively before widespread exploitation.
Exploitation Context
VMware vCenter Server is one of the most targeted enterprise products for ransomware operators. Initial access via CVE-2021-21985 was confirmed in ransomware deployments by Conti, DarkSide, BlackMatter, and other groups throughout late 2021. vCenter access is particularly valuable for ransomware because it allows simultaneous encryption of all virtual disks across an entire data center — a single ESXi command can encrypt hundreds of VMs without individually targeting each one. NSA and CISA included CVE-2021-21985 in advisories about top routinely exploited vulnerabilities. Shodan consistently shows thousands of vCenter management interfaces exposed directly to the internet.
Remediation
- Apply patches per VMSA-2021-0010 — upgrade to vCenter 7.0 U2b, 6.7 U3n, or 6.5 U3p as appropriate
- If immediate patching is not possible, apply VMware's workaround: disable the affected plugins (vSAN Health Check, Site Recovery, vSphere Lifecycle Manager, VMware Cloud Director Availability) via the vCenter managed object browser
- Restrict network access to the vCenter Server management interface (port 443) to authorized administrator IP ranges — vCenter should never be directly accessible from the internet
- Enable vCenter Server Appliance firewall rules to limit incoming connections to the management interface
- Review vCenter audit logs for unexpected API calls, unauthorized VM snapshots, or bulk VM power operations that may indicate post-exploitation activity
- After patching, audit all VMs for unauthorized snapshots, cloned VMs, or modified configurations
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-21985 |
| Vendor / Product | VMware — vCenter Server |
| NVD Published | 2021-05-26 |
| NVD Last Modified | 2025-10-30 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-918 find similar ↗ |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2021-11-17 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-05-25 | VMware releases patches for CVE-2021-21985 and companion CVE-2021-21986 |
| 2021-05-26 | CVE published; VMSA-2021-0010 advisory released |
| 2021-06 | Proof-of-concept exploits published; exploitation begins within weeks of disclosure |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2021-11-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| VMware Security Advisory VMSA-2021-0010 | Vendor Advisory |
| NVD — CVE-2021-21985 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |