⚠ Actively exploited in ransomware campaigns

This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2021-11-17.

CVE-2021-21972 — Path Traversal in Vmware Cloud Foundation

CWE-22 — Path Traversal CWE-23 — Relative Path Traversal CWE-269 — Improper Privilege Management15 documents10 sources

Severity

9.8CRITICALNVD

EPSS

93.8%

top 0.14%

CISA KEV

KEVRansomware

Added 2021-11-03

Due 2021-11-17

Exploit

Exploited in wild

Active exploitation observed

Affected products

Vmware Cloud Foundation Vmware Cloud Foundation Vmware Vcenter Server +1 more

Timeline

PublishedFeb 24

KEV addedNov 3

KEV dueNov 17

Latest updateMay 24

CISA Required Action: Apply updates per vendor instructions.

Description

The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶NVDvmware/vcenter_server6.5, 6.7, 7.0+2

▶CVEListV5vmware/vmware_vcenter_server6.5 before 6.5 U3n, 6.7 before 6.7 U3l, 7.x before 7.0 U1c+2

▶NVDvmware/cloud_foundation3.0 — 3.10.1.2+1

▶CVEListV5vmware/vmware_cloud_foundation3.x before 3.10.1.2, 4.x before 4.2+1

🔴Vulnerability Details

GHSA

GHSA-c9cr-34rr-8gpr: The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin↗2022-05-24

▶

CVEList

CVE-2021-21972: The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin↗2021-02-24

▶

VulnCheck

VMware vCenter Server Remote Code Execution Vulnerability↗2021

▶

💥Exploits & PoCs

Exploit-DB

VMware vCenter Server 7.0 - Remote Code Execution (RCE) (Unauthenticated)↗2021-06-24

▶

Exploit-DB

VMware vCenter Server 7.0 - Unauthenticated File Upload↗2021-03-01

▶

Nuclei

VMware vSphere Client (HTML5) - Remote Code Execution

▶

🔍Detection Rules

Suricata

ET EXPLOIT Inbound VMware vCenter RCE Attempt with Untrusted SSH Key Upload (CVE-2021-21972)↗2021-02-25

▶

Suricata

ET EXPLOIT Inbound VMware vCenter RCE Attempt M1 (CVE-2021-21972)↗2021-02-25

▶

Suricata

ET EXPLOIT Inbound VMware vCenter RCE Attempt M2 (CVE-2021-21972)↗2021-02-25

▶

Suricata

ET EXPLOIT Inbound VMware vCenter RCE Attempt M4 (CVE-2021-21972)↗2021-02-25

▶

Suricata

ET EXPLOIT Inbound VMware vCenter RCE Attempt M3 (CVE-2021-21972)↗2021-02-25

▶

📋Vendor Advisories

CISA

VMware vCenter Server Remote Code Execution Vulnerability↗2021-11-03

▶

VMware

VMware ESXi and vCenter Server updates address multiple security vulnerabilities (CVE-2021-21972, CVE-2021-21973, CVE-2021-21974)↗2021-02-23

▶