Threat Signal Report

Reports of Active in the Wild Exploitation of VMware vCenter Remote Code Execution Vulnerability (CVE-2021-21985)

description-logo Description

FortiGuard Labs is aware of reports of new active in-the-wild exploitation of CVE-2021-21985, which is a remote code execution vulnerability in VMware vCenter software, first disclosed in May. According to the advisory, the vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.

A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. Even if certain vCenter servers are not externally facing, an attacker with network access can still connect to an internally hosted server therefore causing further damage. This includes, but is not limited to, the exposure of a ransomware installation by threat actors. Because this vulnerability does not require any sophistication to exploit, and the fact that we are starting to see multiple instances of proof of concept code being posted to various known sites, and reports of active in the wild exploitation - it is highly recommended that organizations affected by this latest vulnerability apply all patches from the May 2021 advisory immediately.

What Versions of vCenter Are Affected?

Reported versions affected by CVE-2021-21985 are 7.0, 6.7, and 6.5.

Are there Patches Available for Reported Vulnerabilities by the Vendor?

Patches were available as of May 25, 2021. Please refer to the VMware "Advisory ID: VMSA-2021-0010" link in the APPENDIX section for further information.

How Serious of an Issue is This?

HIGH. CVE-2021-21985 (vCenter remote code execution vulnerability) is rated CRITICAL and has a CVSS score of 9.8.

Are There Any Reports of Nation State Activity Actively Exploiting CVE-2021-21985?

Not that we are aware of at this time.

How Widespread is this Attack?

Global. Malicious scans by attackers are currently underway looking for vulnerable unpatched appliances, regardless of location. Multiple proof of concepts are starting to emerge as well.

What is the Status of Coverage?

Customers running current definitions are protected by the following FortiGuard IPS signature:


FortiGuard Labs is continuously monitoring for further developments and we will update this Threat Signal if relevant.

Any Other Suggested Mitigation?

According to VMware, it is recommended to apply all available patches from the May 2021 update immediately. If patching is not possible at this time, please refer to the "Workarounds" section in the VMware Advisory ID: VMSA-2021-0010 located in the APPENDIX section.

The potential for damage to daily operations, reputation, and unwanted release of data, the disruption of business operations, etc. is apparent, and because of this it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed once available, and updated on a regular basis to protect against attackers establishing a foothold within a network.