What is the CVE-2021-21972 Vulnerability and How to Detect It?

In this article:

The Remote Code Execution vulnerability allows a threat actor to run arbitrary code and commands on a target machine or the underlying operating system. In computers with this vulnerability, the remote non-authenticated attacker injects a file, string, or application package into the program’s parser, leading to an attack that can ultimately compromise the application server. The CVE 2021 21972 VCenter server vulnerability is a remote execution flaw affecting the vCenter server plugin in the HTML5 vSphere Client. In applications that run on such vulnerable systems, a threat actor can issue arbitrary commands through HTTP port 443 with unrestricted privileges.

In this article, we discuss the CVE-2021-21972 vulnerability and the approaches to detect and prevent remote execution attacks that are orchestrated over the CVE 2021 21972 vulnerability.

CVE-2021-21972 Vulnerability Explained

The CVE-2021-21972 is a remote execution vulnerability that allows attackers to run code on operating systems that host the VMware vCenter Server. The vulnerability is prevalent on VMware machines that use the vRealize operations vSphere plugin, enabling attackers to issue malicious commands through publicly accessible ports. As the vRealize operations, vCenter plugin is included in all default installations of vCenter Server, the VMware vClient endpoints are considered vulnerable regardless of whether they use vRealize operations for cloud automation. 

Affected software configurations include the VMware vCenter Server versions 6.5, 6.7 & 7.0, and the VMware Cloud Foundation versions 3 and 4. The vulnerability is also present in VMware ESXi hypervisors that provide the threat actor with network access to port 427. In these vulnerable machines, the hacker can trigger heap overflows on VMware’s Service Location Protocol (OpenSLP), allowing for remote code execution.

How to Detect the CVE-2021-21972?

The root cause of CVE-2021-21972 vulnerability is an inherent flaw within the vRealize operations plugin that requires no authentication for the /ui/vropspluginui/rest/services/* endpoint. This allows hackers to create a malicious JSP shell, upload it to an arbitrary location within the server, and gain administrative privileges.

To check whether the server is vulnerable, administrators can review vCenter logs, checking for access to the /ui/vropspluginui/rest/services/uploadova endpoint. 

A more comprehensive method is to test the vCenter Server with a network vulnerability scanner, which checks for open ports, sends specially crafted packets, and checks for the server’s response. These requests should be unauthenticated to verify whether an adversary can upload arbitrary files and issue commands to the server through ports without requiring permissions. Automated vulnerability scanners also integrate with existing workflows while initiating the vulnerability scanning process.

What is the Severity Level of the CVE-2021-21972 Vulnerability?

The National Institute of Standards and Technology (NIST) ranks security flaws based on the Common Vulnerability Scoring System (CVSS) with severity and relevant indicators. Among other vulnerabilities, CVE-2021-21972 is ranked in the critical severity range, with a base security score of 9.8 out of 10. The vulnerability has a high exploitability score of 3.9 since it requires no privileges and has zero attack complexity. A malicious actor possessing network access to virtual machines can orchestrate an attack, making it a high-impact vulnerability with a CVSS impact score of 5.9.

Impacts of the CVE-2021-21972 Vulnerability

Initial entry – Hackers most often exploit CVE-2021-21972 security flaws as the initial access point. Once the unauthorized connection is successfully established, the hacker can masquerade the system to orchestrate several other forms of attack, including opportunistic scanning of sensitive information, malware installation, or server-side request forgery.

Ransomware attacks – The CVE-2021-21972 vulnerability can also be exploited to obtain administrative privileges and seize vCenter server systems. This is usually followed up by demanding compensation to restore server functionalities or decrypt data. 

Data breach – Involves a remote attacker to inject commands for obtaining sensitive data from vulnerable systems. Depending on the virtual machine, such targeted attacks are to obtain and leak sensitive client or application data to third parties, including competitors or malicious actors. 

Ebook about the prevention of the OWASP Top 10 threats

Prevention Guide

Big fat growing cybersecurity ebook

This ebook shows best practices and prevention techniques for keeping vulnerabilities away and securing your web apps.


CVE-2021-21972 – Vulnerability Prevention Techniques

The VMware Cloud Foundation has released several patches that apply to each vulnerable configuration. The table below shows the fixed versions for vulnerable software versions:

VMware product versionPatched Version
VMware vCenter Server 7.07.0 U1c
VMware vCenter Server 6.76.7 U3l
VMware vCenter Server 6.56.5 U3n
VMware Cloud Foundation 3.x3.10.1.2
VMware Cloud Foundation 4.x4.2

If applying the patch is not immediately feasible, VMware also provides a temporary solution that makes the vRealize operations plugin incompatible.

Temporary Fix on Linux Machines

For Linux machines, this is achieved by following the steps below:

1. Connect to the virtual machine using an SSH session and root credentials

2. Back up the /etc/vmware/vsphere-ui/compatibility-matrix.xml file

3. Open the compatibility-matrix.xml file in a preferred text editor

4. Add the following lines of code to the file:



  . . . . 

  . . . . 

<PluginPackage status=”incompatible”/>



5. Save and close the compatibility-matrix.xml file

6. Stop and restart the vsphere-ui service.

Through the above steps, the VMware vROPS client plugin is rendered incompatible, thereby eliminating the CVE-2021-21972 vulnerability from the HTML5 vSphere client.

Temporary Fix on Windows Machines

For Windows-based vCenter server deployments, perform the following steps:

1. Connect to the vCenter server using the Remote Desktop Protocol (RDP)

2. Create a backup of the C:\ProgramData\VMware\vCenterServer\cfg\vsphere-ui\compatibility-matrix.xml file.

3. Add the following to the compatibility matrix file:



  . . . . 

  . . . . 

<PluginPackage status=”incompatible”/>



4. Stop and restart vsphere-ui

This makes vCenter incompatible with the vROPS client plugin, eliminating the CVE-2021-21972 vulnerability.

How Crashtest Helps Identify and Mitigate Vulnerabilities 

Integrating Crashtest Security Suite’s automated vulnerability scanning with existing workflows helps proactively detect security flaws. The security suite ships with several scanners such as the port scanner, command injection scanner, privilege escalation, and remote file inclusion scanner that collectively help identify vulnerabilities. The platform also offers actionable security reports that help cross-functional teams to implement faster, effective threat remediation.

Get a quick security audit of your website for free now

We are analyzing
Scanning target
Scan status: In progress
Scan target:
Date: 14/08/2022
Crashtest Security Suite will be checking for:
Information disclosure Known vulnerabilities SSL misconfiguration Open ports
Complete your scan request
Please fill in your details receive the
quick security audit by email.
Security specialist is analyzing your scan report.
То verify your identity please provide your phone/mobile:
Thank you.
We have received your request.
As soon as your security audit is ready, we will notify you.