Security Advisory 2021-052

Release Date:

UPDATE: Critical Vulnerabilities in VMware Products



  • 22/09/2021 --- v1.0 -- Initial publication
  • 28/09/2021 --- v1.1 -- Update with information about the active exploitation


On Tuesday, September 21, 2021, VMware has released VMSA-2021-0020 advisory [1] to address multiple vulnerabilities in vCenter Server and Cloud Foundation appliances that a remote attacker could exploit to take control of an affected system. The most urgent and critical is a file upload vulnerability CVE-2021-22005 that can be used to execute commands and software on the vCenter Server Appliance [2].

On Tuesday, September 24, 2021 VMware updated the advisory VMSA-2021-0020.1 and confirmed reports that CVE-2021-22005 is being exploited in the wild [1]. Security researchers are also reporting mass scanning for vulnerable vCenter Servers and publicly available exploit code [5, 6, 7].

Technical Details

A malicious actor with network access to port 443 on vCenter Server may exploit CVE-2021-22005 (CVSSv3 base score of 9.8) vulnerability to execute code on vCenter Server by uploading a specially crafted file, regardless of the configuration settings of vCenter Server [1, 2].

Affected Products

The CVE-2021-22005 vulnerability impacts following versions [4]:

  • VMware vCenter Server 6.7
  • VMware vCenter Server 7.0

This issue (CVE-2021-22005) does not affect vCenter Server 6.5 [1].


VMware recommends affected customers to install relevant updates as soon as possible.


VMware also provides a workaround for those who cannot immediately patch their appliances as a temporary solution [3].









We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.