Security research

How to detect VMware vCenter RCE with (CVE-2021-21972)

Updated at

The current, multi-layer setup big organizations run on is a challenge to manage and we both know that (it’s an understatement). And when a vulnerability like CVE-2021-21972 pops up, it reveals how messy the process of patching and mitigation can be.

However, the only way is through! And because discovering and reporting vulnerabilities is what we help you accomplish, we often go in-depth into vulns like these so you don’t have to make an extra effort.

So let’s unpack this particular CVE, starting with a quick timeline.

On February 23, 2021, VMWare released a patch (VMSA-2021-0002) for CVE-2021-21972. In their security advisory, they also mention another vulnerability found in the VMWare ESXi hypervisor.




vCenter Server



vCenter Server






The following day, security expert Mikhail Klyuchnikov published a blog post detailing the two critical vulnerabilities in the vSphere Client component of the VMWare vCenter:

  • Unauthorized file upload leading to remote code execution (RCE) (CVE-2021- 21972)

  • An unauthorized server-side request forgery (SSRF) vulnerability (CVE-2021-21973).

Let’s add a little context.

What is VMware vSphere?

VMware vSphere is VMware’s virtualization platform, which transforms data centers into aggregated computing infrastructures that include CPU, storage, and networking resources. vSphere manages these infrastructures as a unified operating environment and provides you with the tools to manage the data centers that participate in that environment.

VMware vSphere

The two core components of vSphere are ESXi and vCenter Server:

  • ESXi is the virtualization platform where you create and run virtual machines and virtual appliances

  • vCenter Server is the service through which you manage multiple hosts connected in a network and pool host resources.

How the VMware vCenter RCE vuln works

The vSphere Client (HTML5) was affected by a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 could exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts the vCenter Server.

This vuln tracked as CVE-2021-21972 affects:

  • VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n)

  • VMware Cloud Foundation (4.x before 4.2 and 3.x before

Because of the large number of companies that run VMWare vCenter on their networks, Positive Technologies initially planned to keep technical details and proof-of-concept about this critical bug private until system administrators had enough time to apply the patch.
However, a Chinese researcher and other infosec analysts posted a proof-of-concept code, effectively pressuring companies impacted by this vuln to apply the patch. What’s more, they started a mass scan for vulnerable vCenter systems left connected online while attackers hurried to compromise the systems.

How CVE-2021-21972 exposes your system to remote exploitation

The vRealize Operations vCenter Plugin is the root cause of this vulnerability. An attacker can exploit the vulnerable system remotely by uploading a crafted file. That’s why it’s so critical for companies to apply the available patches ASAP.
But before we dive deeper into the patching details, we must gain a strong understanding of CVE-2021-21972.

Details and analysis of the vulnerability

The vuln is present in the vSphere Client because no authentication is required for the /ui/vropspluginui/rest/services/* endpoint.
Within the above endpoint, the vulnerable function is uploadOvaFile and the URL /ui/vropspluginui/rest/services/uploadova permits the upload of a malicious jsp shell, which allows an unauthenticated attacker to gain remote code execution.
The handler of the uploadOva function lets you upload an arbitrary file to an arbitrary location on the vCenter server.

For Windows systems, the adversary can upload a crafted .jsp shell file in order to gain administrative privileges on the server.

For Linux systems, the malicious actor can generate and upload the SSH public key to the authorized_keys file on the server. As a consequence, they can connect via SSH on the vulnerable server.

vuln windows systemVulnerable Windows system
Source: Positive Technologies

vuln linux systemVulnerable Linux system
Source: Positive Technologies

Business impact

If successfully exploited, this vulnerability allows an unauthenticated attacker to get a “VIP ticket” to the Remote Code Execution airplane with destination vCenter in the context of vsphere-ui user.

At the time of writing, we found 6851 potential vulnerable targets registered through Shodan.

shodanYou can try to search and find potential targets for educational purposes yourself, starting from this basic Shodan query: http.title: “IDVCWelcome”.

Opportunistic mass scanning activity detected from hosts in 🇦🇱 🇧🇷 🇨🇦 🇨🇳 🇩🇪 🇭🇰 🇮🇳 🇮🇩 🇯🇵 🇳🇱 🇷🇺 🇸🇬 🇰🇷 🇨🇭 🇦🇪 🇬🇧 🇺🇸 🇻🇳 targeting VMware vCenter servers vulnerable to remote code execution (CVE-2021-21972). #threatintel

— Bad Packets (@bad_packets) February 26, 2021

Depending on your OS and context, there are various levels of fallout that result from an attacker exploiting this CVE:

  • If the threat actor can successfully exploit this vulnerability, they can gain remote code execution in the underlying operating system of the vCenter Server.

  • For Windows hosts, the attacker could upload a malicious .jsp file and gain SYSTEM privileges on the server.

  • For Linux servers, the attacker needs to generate and upload a SSH public key to the authorized_keys file present on the .ssh directory and connect via SSH to the vulnerable server.

  • Any malicious hacker who can reach port 443 on the vulnerable vCenter server can completely harvest data information and compromise the device and any Virtual Machine it contains.

No matter which scenario is more likely to happen in your case, the consequences are… not great.

How to detect CVE-2021-21972 when your endpoint protection doesn’t

If your endpoint security solution can’t detect this critical flaw, here’s a simpler way to do it. Review the vCenter logs and look for access to the /ui/vropspluginui/rest/services/uploadova endpoint.

How to detect CVE-2021-21972 with

Removing friction in your workflow is our specialty, so here’s how to get this job done without extra tools.
Log into your account.
Under Tools, check out the Web Application Testing menu and select Network Vulnerability Scan with OpenVAS.

select scannerIn the scanner’s configuration, set your target URL and select the “Full Scan” option.
Do not add any authentication method because your goal is to find resources you can access without being authorized. If you want to use your time effectively, choose to get an email notification when the scan is finished.

start a scanOnce the scanner wraps up, you can go through the results to see if you are vulnerable to CVE-2021-21972.

scan resultsYou can also export a quick report with this specific issue if you need to pass it on, either in PDF, HTML, or a customizable DOCX.

How to mitigate CVE-2021-21972

We recommend starting to apply the available patches in your environment, as VMWare has already released the patch for CVE-2021-21972.

Product Version>

Fixed Version

Month addressed

vCenter Server 7.0

7.0 U1c

December 2020

vCenter Server 6.7

6.7 U3l

November 2020

vCenter Server 6.5

6.5 U3n

February 2021

Cloud Foundation 3.x

February 2021

Cloud Foundation 4.x


February 2021

If you can’t do it immediately, VMWare provides workaround solutions for CVE-2021-21972 and CVE-2021-21973. System administrators need to change the compatibility matrix file and set the vRealize Operations vCenter Plugin to incompatible.

VMs are great – if you constantly keep an eye on them

Global businesses are running VMware technology to manage their IT infrastructure more easily and automate workloads. While this cloud solution helps organizations increase IT efficiency, unpatched vCenter servers can open them up to a range of security issues.

Regular monitoring is a must-have to ensure business continuity and scheduled scans (which you can also get on are a low-effort way to surface potential problems before they escalate.

Our team keeps working to add new features and improve the tools (now at 25+) on so you can detect vulnerabilities fast.

Get fresh security research

In your inbox. (No fluff. Actionable stuff only.)

I can see your vulns image

Related articles

Suggested articles

Discover our ethical hacking toolkit and all the free tools you can use!

Create free account


© 2013-2024 has a LinkedIn account it's very active on

Join over 45,000 security specialists to discuss career challenges, get pentesting guides and tips, and learn from your peers. Follow us on LinkedIn! has a YouTube account where you can find tutorials and useful videos

Expert pentesters share their best tips on our Youtube channel. Subscribe to get practical penetration testing tutorials and demos to build your own PoCs!

G2 award badge recognized as a Leader in G2’s Spring 2023 Grid® Report for Penetration Testing Software. Discover why security and IT pros worldwide use the platform to streamline their penetration and security testing workflow.

OWASP logo is a Corporate Member of OWASP (The Open Web Application Security Project). We share their mission to use, strengthen, and advocate for secure coding standards into every piece of software we develop.