VMware vCenter Server vSphere Client Remote Code Execution
A remote-code-execution vulnerability in the vSphere Client (HTML5) plugin for VMware vCenter Server allows an unauthenticated attacker with network access to port 443 to upload a malicious file and execute arbitrary commands with unrestricted privileges on the underlying operating system.
- Vendor
- VMware
- Product
- vCenter Server
- CVSS
- 9.8
- Status
- kev
- Published
CVE-2021-21972 is a critical remote-code-execution vulnerability in a vCenter Server plugin exposed through the vSphere Client, disclosed by VMware on February 23, 2021. The flaw allowed any unauthenticated attacker with network access to vCenter’s HTTPS port to upload a specially crafted file and use it to execute arbitrary commands with unrestricted (root/SYSTEM-equivalent) privileges on the host operating system — no login, no prior access required.
Why it mattered
vCenter Server is the central management plane for VMware vSphere virtualization environments — compromising it can mean control over every virtual machine, host, and datastore it manages. Within days of VMware’s advisory, security researchers published working exploit code, and internet-wide scans found tens of thousands of vCenter instances exposed directly to the internet with the management interface reachable, despite VMware’s longstanding guidance that vCenter should never be internet-facing. Mass exploitation and opportunistic scanning followed almost immediately.
VMware rated the flaw’s severity based on how little an attacker needed to exploit it, and urged emergency patching or, at minimum, network-level isolation of the vCenter management interface as an interim step. The CVE was added to CISA’s KEV catalog. Full technical detail and patch availability are in VMware’s security advisory (VMSA-2021-0002) and at the NVD link above.
