Critical Vulnerability in VMware vCenter Server – CVE-2021-22005

Share :

On Tuesday, September 21, 2021, VMware released a patch advisory for a new remote code execution (RCE) vulnerability in VMware vCenter Server tracked as CVE-2021-22005. vCenter Server is a server management solution that System Administrators use to manage virtual machines and virtualized hosts within enterprise environments via a single console. CVE-2021-22005 affects VMware vCenter 6.7x/7.0x and also affects VMware Cloud Foundation 3.x/4.x which bundles vCenter into the software.

Partial proof of concept (PoC) exploit code for CVE-2021-22005 has surfaced publicly and threat actors have begun to scan the internet for publicly accessible vulnerable vCenter Servers. Although the full working exploit for CVE-2021-22005 is not in the public domain, we expect threat actors to quickly fill in the gaps and begin exploiting this vulnerability in targeted ransomware attacks. Exploitation of CVE-2021-22005 can allow a threat actor with direct network access to a vulnerable system to remotely execute malicious code of their choosing.


CVSS Score V3

CVSS Criticality






Arbitrary File Upload & Remote Code Execution (RCE)

The vCenter Server contains an arbitrary file upload vulnerability which could lead to RCE.



This is a file upload vulnerability in the vCenter Server. An unauthenticated attacker capable of accessing port 443 over the same network or directly from the internet could exploit a vulnerable vCenter Server by uploading a file to the vCenter Server analytics service. Successful exploitation would result in remote code execution on the host.

Solutions and Recommendations

This section provides details on the recommendations that Arctic Wolf suggests to remediate CVE-2021-22005.

Recommendation #1: Patch Affected VMware vCenter Server or Cloud Foundation Systems

Patching of vulnerable vCenter Server or Cloud Foundation systems is the best way to fully mitigate CVE-2021-22005. We recommend a priority focus on systems exposed to the public internet or vulnerable points of your internal network.

Below is a breakdown of each affected version of vCenter, Cloud Foundation and associated patch information.

Note: Cloud Foundation is VMware’s hybrid cloud implementation of vCenter Server and has vCenter bundled into the product which is why CVE-2021-22005 affects this software as well.

Vulnerable Product & Versions Patched Version
VMware vCenter Server versions 6.7x and 7.0x
    • – Patch information:

    • – Patch information:

VMware Cloud Foundation versions 3.x and 4.x
    • – Patch information:

    • 4.3.1 – Patch information:

Recommendation #2 Explore Applying Temporary Mitigation for CVE-2021-22005

For organizations that cannot immediately patch, VMware has released a temporary workaround for this vulnerability that should only be applied as a temporary solution until a patch can be applied. VMware has provided a manual workaround option that involves editing an XML file and an automated method using a VMware supported Python script.

To apply this workaround, carefully review the steps provided by VMware to understand potential impact to your vCenter or Cloud Foundation deployment.


Learn more about Arctic Wolf’s Managed Risk solution or request a demo today.

Picture of Adrian Korn

Adrian Korn

Adrian Korn is a seasoned cyber security professional with 7+ years' experience in cyber threat intelligence, threat detection, and security operations. He currently serves as the Manager of Threat Intelligence Research at Arctic Wolf Labs. Adrian has been a guest speaker on intelligence related topics at numerous conferences around the world, including DEF CON's Recon Village, Hackfest, and the Australian OSINT Symposium.
Share :
Table of Contents
Subscribe to our Monthly Newsletter