IRONSMITHINTEL
CRITICALCVSS9.8
|
Actively Exploited
|CISA KEV|CVE-2021-22005|Auth: none — unauthenticated|Reboot: required|Est. 2 hours including appliance restart|Manual only

VMware vCenter Server < 7.0 — RCE

An unauthenticated file upload vulnerability in the vCenter Server Analytics service allows arbitrary code execution. Apply VMware's patch immediately — automated exploitation tools were available within 24 hours of disclosure.

Published Sep 21, 2021 · Updated May 10, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

Unauthenticated root code execution on the vCenter Server, giving complete control of all managed ESXi hosts and VMs. Multiple public exploit tools were released within a day of the September 2021 disclosure, lowering the technical bar to mass exploitation.

How the attack worksNo clicks needed

The vCenter Server Analytics service accepts file uploads without authentication. An attacker with network access to port 443 on vCenter can upload a specially crafted file to the analytics service, which then executes the file on the server. The service runs as root on the vCenter appliance.

📧

Phishing link

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

VMware Administrators
Virtualisation Team
IT Security
Running vCenter Server 7.0 prior to 7.0 Update 2d (build 18455184), vCenter Server 6.7 prior to 6.7 Update 3o

Affected OS versions

VMware vCenter Server Appliance (Linux-based)
Fixed invCenter Server 7.0 Update 2d / 6.7 Update 3o
Real-world incidentsWhat we've seen

VMware rated this vulnerability 9.8 CRITICAL and issued an emergency advisory VMSA-2021-0020 on September 21, 2021. By September 22, automated scanning and exploitation had begun. Ransomware actors and cryptomining groups both exploited this vulnerability. The US CISA issued an urgent alert directing immediate patching. An exploit PoC was publicly available within 24 hours.

How to patch

Manual remediation steps

2 hours including appliance restart

Check Version and Exposure

# From vCenter Appliance Shell:
vmware -v

# Check if port 443 is reachable from internet (high risk):
# From an external machine:
curl -k -s "https://<vcenter-ip>/ui/" | head -5

Immediate Workaround (if patching delayed)

# Restrict access to vCenter port 443 at the firewall to management IPs only
# On vCenter appliance:
vc-support-bundle --file /etc/vmware/vsphere-ui/analytics.log

Apply the Patch

1
Download the patch from VMware Customer Connect:
    1
    vCenter 7.0 Update 2d: VMware-vCenter-Server-Appliance-7.0.2.00400-18455184-patch-FP.iso
    1
    vCenter 6.7 Update 3o: VMware-vCenter-Server-Appliance-6.7.0.46000-18831058-patch-FP.iso
2
Upload the ISO to the vCenter datastore
3
Apply via Appliance Management (https://<vcenter>:5480):
    1
    Update > Check Updates > Stage and Install
4
Or via CLI:
software-packages stage --iso /data/<patchfile>.iso --acceptEulas
software-packages install --staged

Verify

vmware -v
# Build must be 18455184 (7.0U2d) or 18831058 (6.7U3o) or later
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2021-22005NVD