- Product
Product Overview
Sophisticated security with unmatched simplicityCloud SIEM
Pre-configured detections across your environmentHoneypots
Deception technology to detect lateral movementEndpoint Visibility
Real-time monitoring with added detection & responseSecurity Reports
Data visualizations, compliance reports, and executive summariesAutomated Response
Detect, prioritize, and neutralize threats around the clockIntegrations
Cloud, on-prem, and open API connectionsXDR Platform
A complete view to identify risk, and things operational
- Pricing
- Why Blumira
Why Blumira
The Security Operations platform IT teams loveWatch A Demo
See Blumira in action and how it builds operational resilienceUse Cases
A unified security solution for every challengePricing
Unlimited data and predictable pricing structureCompany
Our human-centered approach to cybersecurityCompare Blumira
Find out how Blumira stacks up to similar security toolsIntegrations
Cloud, on-prem, and open API connectionsCustomer Stories
Learn how others like you found success with Blumira
- Solutions
- Partners
- Resources
February 24, 2021
What Happened
Positive Technologies discovered a vulnerability in VMware vCenter/vSphere that allows an unauthenticated attacker to remotely execute code on the VMware hypervisor (CVE-2021-21972). The vulnerability was first reported to the vendor on October 2 2020, and a patch was released by VMware on February 23 2021.
Is a weaponized exploit available yet?
Proof of concept code has indeed been released to GitHub shortly after the patch was released allowing any attacker with access to the code the ability to take advantage of the vulnerability.
How Bad is This?
Bad. Any threat actor who can reach port 443 on your vCenter server can completely compromise the device, the data, and any VMs it contains.
Several exploits are now public – you should expect that these will be used immediately to facilitate attacks. Scanning for vulnerable systems has been seen:
We’ve detected mass scanning activity targeting vulnerable VMware vCenter servers (https://t.co/t3Gv2ZgTdt).
Query our API for “tags=CVE-2021-21972” for relevant indicators and source IP addresses. #threatintel https://t.co/AcSZ40U5Gp
— Bad Packets (@bad_packets) February 24, 2021
What Should I Do?
Make sure no vCenter assets are directly exposed to the internet; if they are, sever that access and triage those hosts for indications of compromise. If not directly exposed to the internet, prioritize patching quickly because a locally networked device could be used to exploit internal hosts. It only takes one phishing email for an actor to breach the perimeter.
Your options are ordered from most complete in remediation, to more temporary measures:
Option 1:
Apply the patch according to your version.
Option 2:
Employ a workaround to disable the vulnerable location on the server. Here are instructions on how to do that, from VMware’s knowledge base: https://kb.vmware.com/s/article/82374
Option 3:
Use network firewalls to restrict access on port 443 to trusted hosts only.
How to Detect
Watch for unusual access to vCenter hosts on port 443; if possible, target requests for the URI paths:
/ui/vropspluginui/rest/services/
/ui/vropspluginui/rest/services/uploadova
For further technical details, see:
https://swarm.ptsecurity.com/unauth-rce-vmware/
More from the blog
View All Posts
Security Trends and Info
9 min read
| July 24, 2025
Critical Microsoft SharePoint Server vulnerability allows unauthorized code execution
Read More
Security Alerts
6 min read
| July 1, 2024
New Unauthenticated Remote Code Execution Flaw Identified in OpenSSH Server
Read More
Security Alerts
5 min read
| April 12, 2024
CVE-2024-3400: Palo Alto Vulnerabilities in GlobalProtect Gateway Lead to RCE
Read More