Overview
VMware vCenter Server contains a critical remote code execution vulnerability in the vSphere Client (HTML5) plugin. An unauthenticated attacker with network access to port 443 can execute arbitrary commands with unrestricted privileges on the underlying host operating system. This vulnerability was actively exploited in the wild and affects a wide range of vCenter Server versions. The vulnerability was disclosed on February 24, 2021. CISA has identified CVE-2021-21972 as being exploited and is known to be used in ransomware campaigns.
Technical details
The vulnerability exists in the vCenter Server plugin infrastructure, specifically in how it processes requests to the HTML5 vSphere Client. An attacker can craft a malicious request containing arbitrary code that is processed by a vulnerable endpoint without proper input validation or authentication checks. The flaw allows the attacker to upload arbitrary files and execute commands with SYSTEM privileges on the underlying Windows/Linux host running vCenter Server.
The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) , CWE-434 (Unrestricted Upload of File with Dangerous Type) andCWE-502 (Deserialization of Untrusted Data) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating its critical nature.
Impact
Successful exploitation allows unauthenticated attackers to achieve complete system compromise. An attacker can execute arbitrary operating system commands with SYSTEM/root privileges on the vCenter Server host, leading to: complete server takeover, data theft or destruction, lateral movement within the infrastructure, deployment of ransomware, installation of persistent backdoors, and disruption of virtual infrastructure management. Since vCenter Server is typically a critical management component, its compromise enables attackers to control all virtual machines and resources within the vSphere environment.
Mitigation and workarounds
Update vCenter Server to the patched versions released on March 2, 2021 or later. VMware recommends using vCenter Server Appliance (VCSA) update mechanisms or Windows vCenter Server patches available from VMware support portal. The following versions include the necessary fixes: vCenter Server 6.5 U3g and later, vCenter Server 6.7 U3d and later, vCenter Server 7.0 U1c and later.
As temporary workarounds: network segmentation - restrict network access to port 443 on vcenter server to trusted management networks only. implement firewall rules to limit access to authorized administrative sources.; disable html5 vsphere client if not in use - if the legacy c# client or alternative management methods are available, disable the html5 client temporarily., and web application firewall (waf) rules - deploy waf rules to block suspicious requests to vcenter server plugin endpoints, though this is not a complete mitigation without knowing exact attack signatures..
CISA's recommendation: Apply updates per vendor instructions.
Additional resources
Source: This report was generated using AI
