CVE-2021-22005

What is VMware vCenter Server?

VMware vCenter Server is the centralized management platform for VMware vSphere virtualization infrastructure — the hypervisor layer running virtual machines in most enterprise datacenters. A compromised vCenter Server gives an attacker administrative control over the entire virtual infrastructure: the ability to create, modify, snapshot, and delete VMs; access to all VM disk contents; and network-level control over the virtualized environment. CVE-2021-22005 is one of the most impactful vCenter vulnerabilities ever disclosed.

Overview

CVE-2021-22005 is a critical unauthenticated file upload vulnerability (CWE-22) in VMware vCenter Server's Analytics service. An attacker with network access to port 443 can upload arbitrary files to the vCenter VCSA (virtual appliance) without authentication, enabling remote code execution as root. VMware issued patches on September 21, 2021, and CISA issued an emergency alert the following day urging immediate action — noting that exploitation would occur within 24 hours, which proved accurate. Ransomware groups actively exploited this vulnerability.

Affected Versions

Technical Details

The vCenter Analytics service is a component that collects telemetry and usage data from the vCenter deployment. A file upload endpoint in this service lacks authentication, allowing any unauthenticated HTTP client to upload files to the vCenter filesystem:

• Vulnerable service: vCenter Analytics service, accessible via HTTPS on port 443
• Authentication required: None — the upload endpoint is pre-auth accessible
• File placement: Uploaded files can be placed in web-accessible directories
• Webshell deployment: Uploading a JSP webshell to a Tomcat-accessible directory provides interactive code execution
• Execution context: The vCenter Tomcat process and related services run with elevated privileges on the VCSA appliance — in many environments, equivalent to root
• Speed of exploitation: Working public exploits appeared within 24 hours of VMware's patch publication, consistent with CISA's warning

Discovery

Identified by Haoxi Tan of BSRC (Baidu Security Research Center). VMware coordinated disclosure and released patches and an advisory simultaneously.

Exploitation Context

CVE-2021-22005 was immediately and massively exploited. Multiple ransomware groups (including BlackMatter, Conti, and others) used it to deploy ransomware across virtualized environments by compromising vCenter and using its VM management capabilities to encrypt entire virtual machine datastores. Nation-state actors also used it for espionage — vCenter access provides visibility into the entire virtual infrastructure and all VMs running in it. CISA's unusually urgent advisory reflected the severity and likely speed of exploitation.

Remediation

1. Apply VMware Security Advisory VMSA-2021-0020 patches for your vCenter version immediately
2. If immediate patching is not possible, VMware published a workaround script to disable the Analytics service — apply this before the permanent patch
3. Restrict network access to vCenter's management interface (port 443) to trusted management network IPs only — vCenter should never be internet-accessible
4. If the vCenter was exposed and unpatched, treat it as potentially compromised: check for webshells in Tomcat directories, unexpected processes, and unauthorized VM snapshots
5. Review all VM snapshots and datastores for unauthorized modifications
6. Rotate all vCenter administrative credentials and service account passwords after patching