Threat Signal Report

Reports of Active in the Wild Exploitation of VMware vCenter Remote Code Execution Vulnerability (CVE-2021-21985)


FortiGuard Labs is aware of reports of new active in-the-wild exploitation of CVE-2021-21985, which is a remote code execution vulnerability in VMware vCenter software, first disclosed in May. According to the advisory, the vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.

A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. Even if certain vCenter servers are not externally facing, an attacker with network access can still connect to an internally hosted server therefore causing further damage. This includes, but is not limited to, the exposure of a ransomware installation by threat actors. Because this vulnerability does not require any sophistication to exploit, and the fact that we are starting to see multiple instances of proof of concept code being posted to various known sites, and reports of active in the wild exploitation - it is highly recommended that organizations affected by this latest vulnerability apply all patches from the May 2021 advisory immediately.

What Versions of vCenter Are Affected?

Reported versions affected by CVE-2021-21985 are 7.0, 6.7, and 6.5.

Are there Patches Available for Reported Vulnerabilities by the Vendor?

Patches were available as of May 25, 2021. Please refer to the VMware "Advisory ID: VMSA-2021-0010" link in the APPENDIX section for further information.

How Serious of an Issue is This?

HIGH. CVE-2021-21985 (vCenter remote code execution vulnerability) is rated CRITICAL and has a CVSS score of 9.8.

Are There Any Reports of Nation State Activity Actively Exploiting CVE-2021-21985?

Not that we are aware of at this time.

How Widespread is this Attack?

Global. Malicious scans by attackers are currently underway looking for vulnerable unpatched appliances, regardless of location. Multiple proof of concepts are starting to emerge as well.

What is the Status of Coverage?

Customers running current definitions are protected by the following FortiGuard IPS signature:


FortiGuard Labs is continuously monitoring for further developments and we will update this Threat Signal if relevant.

Any Other Suggested Mitigation?

According to VMware, it is recommended to apply all available patches from the May 2021 update immediately. If patching is not possible at this time, please refer to the "Workarounds" section in the VMware Advisory ID: VMSA-2021-0010 located in the APPENDIX section.

The potential for damage to daily operations, reputation, and unwanted release of data, the disruption of business operations, etc. is apparent, and because of this it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed once available, and updated on a regular basis to protect against attackers establishing a foothold within a network.



Traffic Light Protocol

Color When Should it Be used? How may it be shared?


Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.


Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.


Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.


Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.