VMware vCenter Server < 7.0 — RCE

A pre-authenticated remote code execution vulnerability in the vCenter Server vSAN Health Check plugin. Patch to vCenter 7.0 Update 2b / 6.7 Update 3n / 6.5 Update 3p — exploited in the wild for ransomware delivery.

Published May 25, 2021 · Updated May 8, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

Full unauthenticated code execution on the vCenter Server host. Since vCenter manages all ESXi hosts in the datacenter, compromise of vCenter equals compromise of every VM running in the environment. Attackers used this to deploy ransomware across all VMs simultaneously.

How the attack worksNo clicks needed

The vSAN Health Check plugin (enabled by default in vCenter Server) contains a remote code execution vulnerability. An attacker with network access to port 443 on vCenter can exploit this without any authentication. The plugin runs with the privileges of the vCenter service, which on Windows hosts runs as SYSTEM.

📧

Phishing link

→

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

●VMware Administrators

●Virtualisation Team

●IT Security

●Running vCenter Server 7.0 prior to 7.0 Update 2b, vCenter Server 6.7 prior to 6.7 Update 3n, vCenter Server 6.5 prior to 6.5 Update 3p

Affected OS versions

Windows Server 2016Windows Server 2019

Fixed invCenter Server 7.0 Update 2b / 6.7 Update 3n / 6.5 Update 3p

Real-world incidentsWhat we've seen

Following the May 2021 disclosure, multiple ransomware groups began mass-scanning for vulnerable vCenter instances. HelloKitty, BlackMatter, and Darkside ransomware operators exploited CVE-2021-21985 to encrypt virtual machine disk files (VMDKs) directly on the datastore, bypassing guest OS protections. An incident at a European logistics firm resulted in 2,000+ VMs encrypted within 4 hours.

How to patch

Manual remediation steps

⏱ 2 hours including vCenter restart

Check Current vCenter Version

# From vCenter Appliance Shell (VCSA) or Windows vCenter:
shell
vmware -v
# Or check the vSphere Web Client: Help > About

Immediate Mitigation — Disable Affected Plugins

# If vCenter is on a Windows host, edit extensions config:
# 1. SSH to vCenter
# 2. Navigate to /etc/vmware/vsphere-ui/vc-packages/vsphere-client-serenity/
# 3. Rename or remove the vSAN health check plugin directory
# NOTE: Apply the patch ASAP — this workaround is not officially supported

Apply the vCenter Patch

Download VMware-vCenter-Server-Appliance-7.0.2.00300-17958471-patch-FP.iso from https://customerconnect.vmware.com/downloads

Stage the patch ISO to the vCenter appliance:

# Mount and apply via Appliance Management (port 5480)
# https://<vcenter-ip>:5480 > Update > Check Updates

Or use the CLI:

software-packages stage --iso --acceptEulas
software-packages install --staged

Reboot the vCenter appliance

Verify

vmware -v
# Must show build 17958471 or later

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2021-21985 ↗ NVD