Security Experts:

Connect with us

Hi, what are you looking for?



Critical VMware vCenter Server Flaw Can Expose Organizations to Remote Attacks

VMware on Tuesday informed customers that its vCenter Server product is affected by a critical vulnerability that can be exploited by an attacker to execute commands with elevated privileges.

VMware on Tuesday informed customers that its vCenter Server product is affected by a critical vulnerability that can be exploited by an attacker to execute commands with elevated privileges.

vCenter Server is a management software designed to provide a centralized platform for controlling VMware vSphere environments. The critical vulnerability, discovered by Positive Technologies researcher Mikhail Klyuchnikov, impacts a vCenter Server plugin used by the vSphere Client.

The flaw, tracked as CVE-2021-21972 with a CVSS score of 9.8, can be exploited by an attacker with network access to port 443 to “to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server,” VMware said in its advisory.

According to Positive Technologies, while 90 percent of vCenter devices are only accessible from within an organization’s perimeter — exploitation of the vulnerability in this case requires access to the target’s internal network — there are more than 6,000 systems that are accessible directly from the internet.

The cybersecurity firm said more than a quarter of these devices are located in the United States, followed by Germany (7%), France (6%), China (6%), the UK (4%), Canada (4%), Russia (3%), Taiwan (3%), Iran (3%), and Italy (3%).

“In our opinion, the RCE vulnerability in the vCenter Server can pose no less a threat than the infamous vulnerability in Citrix (CVE-2019-19781),” Positive Technologies’ Klyuchnikov explained. “The error allows an unauthorized user to send a specially crafted request, which will later give them the opportunity to execute arbitrary commands on the server.”

He added, “After receiving such an opportunity, the attacker can develop this attack, successfully move through the corporate network, and gain access to the data stored in the attacked system (such as information about virtual machines and system users). If the vulnerable software can be accessed from the Internet, this will allow an external attacker to penetrate the company’s external perimeter and also gain access to sensitive data. Once again, I would like to note that this vulnerability is dangerous, as it can be used by any unauthorized user.”

Klyuchnikov has also been credited for a medium-severity server-side request forgery (SSRF) flaw in vCenter Server, specifically in a plugin used by the vSphere Client. An attacker with network access to port 443 could exploit this vulnerability to obtain information — including on open ports associated with various services — that could be useful for further attacks.

VMware has also informed users about CVE-2021-21974, a high-severity heap overflow in ESXi that can be exploited by an attacker with network access to port 427 to execute arbitrary code.

The issue was reported to VMware by Lucas Leong of Trend Micro’s Zero Day Initiative (ZDI). ZDI has yet to make its own advisory for this vulnerability public.

VMware has released patches and workarounds for each of the affected products and versions.

It’s important that organizations using affected products apply the patches or workarounds since VMware product vulnerabilities being targeted by threat actors is not unheard of. The NSA warned recently that a state-sponsored threat actor linked to Russia had exploited a flaw in VMware Workspace ONE, likely even before a patch was released by the virtualization giant.

Related: VMware Patches Vulnerabilities Exploited at Chinese Hacking Contest

Related: VMware Patches Workspace ONE Access Vulnerability Reported by NSA

Related: Patch for Critical VMware ESXi Vulnerability Incomplete

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet