Skip to content
Get A Demo
Free SIEM
    February 24, 2021

    Critical VMware vCenter RCE (CVE-2021-21972) Exploits Released

    What Happened

    Positive Technologies discovered a vulnerability in VMware vCenter/vSphere that allows an unauthenticated attacker to remotely execute code on the VMware hypervisor (CVE-2021-21972). The vulnerability was first reported to the vendor on October 2 2020, and a patch was released by VMware on February 23 2021.

    Is a weaponized exploit available yet?

    Proof of concept code has indeed been released to GitHub shortly after the patch was released allowing any attacker with access to the code the ability to take advantage of the vulnerability.

    How Bad is This?

    Bad. Any threat actor who can reach port 443 on your vCenter server can completely compromise the device, the data, and any VMs it contains.

    Several exploits are now public – you should expect that these will be used immediately to facilitate attacks. Scanning for vulnerable systems has been seen:


    What Should I Do?

    Make sure no vCenter assets are directly exposed to the internet; if they are, sever that access and triage those hosts for indications of compromise. If not directly exposed to the internet, prioritize patching quickly because a locally networked device could be used to exploit internal hosts. It only takes one phishing email for an actor to breach the perimeter.

    Your options are ordered from most complete in remediation, to more temporary measures:

    Option 1:
    Apply the patch according to your version.

    Option 2:
    Employ a workaround to disable the vulnerable location on the server. Here are instructions on how to do that, from VMware’s knowledge base: https://kb.vmware.com/s/article/82374

    Option 3:
    Use network firewalls to restrict access on port 443 to trusted hosts only.

    How to Detect

    Watch for unusual access to vCenter hosts on port 443; if possible, target requests for the URI paths:

    /ui/vropspluginui/rest/services/
    /ui/vropspluginui/rest/services/uploadova

    For further technical details, see:
    https://swarm.ptsecurity.com/unauth-rce-vmware/

    Tag(s): Security Alerts , Blog , CVE

    Brian Laskowski

    Brian has 5 years of experience in IT, with prior work including linux systems administration to most recently leading the threat intelligence program at the State of Michigan security operations center. Other areas of focus have included, incident response, threat hunting, memory analysis, adversary emulation, and...

    More from the blog

    View All Posts