You are currently viewing VMware vCenter Servers Under Active Attack, Patch Now!

VMware vCenter Servers Under Active Attack, Patch Now!

VMware, the virtualization giant, has patched 19 vulnerabilities, including one critical vulnerability, ten important vulnerabilities, and eight moderate vulnerabilities, in its latest security advisory VMSA-2021-0020. The vulnerabilities tracked as CVE-2021-21991, CVE-2021-21992, CVE-2021-21993, CVE-2021-22005, CVE-2021-22006, CVE-2021-22007, CVE-2021-22008, CVE-2021-22009, CVE-2021-22010, CVE-2021-22011, CVE-2021-22012, CVE-2021-22013, CVE-2021-22014, CVE-2021-22015, CVE-2021-22016, CVE-2021-22017, CVE-2021-22018, CVE-2021-22019, CVE-2021-22020 are affecting the widely used VMware vCenter Server and VMware Cloud Foundation.

Successful exploitation of these vulnerabilities allows attackers to conduct code execution, sensitive information disclosure, privilege escalation, cross-site scripting, server-side request forgery, and denial of service.

VMware has also released a patch for an arbitrary file upload vulnerability (CVE-2021-22005) in its Analytics service, which is being exploited in the wild.

CVE-2021-22005 Actively Exploited In The Wild

A critical remote code execution vulnerability is found in the VMware vCenter. The flaw is due to an arbitrary file upload vulnerability in its analytics service. It allows attackers to execute commands and software on the vCenter Server Appliance. Anyone who can reach the vCenter Server over the network can use this vulnerability to gain access irrespective of the configuration settings of the vCenter Server.

Below attached screenshot of a cURL request that can be performed against the analytics service endpoint to identify vulnerable and non-vulnerable hosts:

Vulnerable host :

  • Here Server responds with a 200/OK and anything other than ‘OFF‘ in the response body (such as ‘FULL‘)

Non Vulnerable host :

  • Here Server responds with a 200/OK and body content of ‘OFF‘ in the response body. i.e., It is likely not vulnerable and also unpatched with no workaround applied.

If the Server responds with a 400/Bad Request, it is patched, and if it responds with 404, either the workaround has been applied, or is not applicable.

Affected Applications

  • vCenter Server 6.7 before 6.7u3o and 7.0 before 7.0u2c
  • Cloud Foundation 3. x before, 4. x before 4.3


  • vCenter Server 6.7u3o for 6.7, 7.0u2c for 7.0
  • Cloud Foundation for 3. x, 4.3 for 4. x

SanerNow VM detects these vulnerabilities. We strongly recommend applying the security updates for all vulnerabilities on high priority.

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments