VMware fixes critical vCenter Server RCE vulnerability, urges immediate action (CVE-2021-21985)

VMware has patched two vulnerabilities (CVE-2021-21985, CVE-2021-21986) affecting VMware vCenter Server and VMware Cloud Foundation and is urging administrators to implement the offered security updates as soon as possible.


“All environments are different, have different tolerance for risk, and have different security controls and defense-in-depth to mitigate risk, so the decision on how to proceed is up to you. However, given the severity, we strongly recommend that you act,” the company noted.

About the vulnerabilities (CVE-2021-21985, CVE-2021-21986)

CVE-2021-21985 is a critical remote code execution vulnerability in the vSphere Client (HTML5). It exists due to lack of input validation in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server.

CVE-2021-21986 is a less severe vulnerability in a vSphere authentication mechanism for several plugins.

They affect vCenter Server 6.5, 6.7, and 7.0. and Cloud Foundation (vCenter Server) 3.x and 4.x.

Both vulnerabilities can be exploited by a malicious actors with network access to port 443. The first one would allow them to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server, while the second one may allow them to perform actions allowed by the impacted plug-ins – Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, VMware Cloud Director Availability – without authentication.

But as Claire Tills, Senior Research Engineer at Tenable, noted, even if an organization has not exposed vCenter Server externally, attackers can still exploit this flaw once inside a network.

Patching is strongly recommended

“In a rare move, VMware published a blog post calling out ransomware groups as being adept at leveraging flaws like this post-compromise, after having gained access to a network via other means such as spearphishing. With ransomware dominating the news, this context is important and reinforces VMware’s assertion that patching these flaws should be a top priority,” she told Help Net Security.

The blog post contains tips for patching, and the company has also published a Q&A document regarding the flaws and their remediation. While workarounds are available, VMware says that implementing the security updates is the better option.

According to Tills, there is currently no proof-of-concept code available for either CVE-2021-21985 and CVE-2021-21986. Nevertheless, she pointed out that in February 2020, VMware patched two other vCenter Server vulnerabilities and researchers saw mass scanning for the RCE one within a day of its publication.

UPDATE (June 5, 2021, 01:10 a.m. PT):

A working PoC for CVE-2021-21985 has been made public, and honeypots are detecting attackers scanning for and exploiting the bug.

UPDATE (June 15, 2021, 11:50 p.m. PT):

Trustwave SpiderLabs researchers have used the Shodan search engine to discover how many still vulnerable VMWare vCenter Server instances are currently connected to the internet.

“Out of 4969 data [related to internet-facing vCenter Server instances] downloaded from Shodan, 4019 (80.88%) are vulnerable,” security researcher Jason Villaluna shared. Of the remaining 950 (19.12%) hosts, the overwhelming majority uses old, “end of life” versions, meaning that these are not likely to have been patched since they are unsupported, he added.

Also, there are now more public PoC exploits for CVE-2021-21985.

Don't miss