CVE-2021-21985 Explained: VMware vCenter Server Remote Code Execution
A CVSS 9.8 unauthenticated RCE in VMware vCenter Server's vSphere Client. Compromise the hypervisor management plane and you own every virtual machine it controls.
Founder & Cybersecurity Evangelist
CVE-2021-21985 is a critical unauthenticated remote code execution vulnerability in VMware vCenter Server and VMware Cloud Foundation. Disclosed May 25, 2021, with a CVSS score of 9.8, it allows an unauthenticated attacker with network access to vCenter's HTTPS management port (443) to achieve RCE with operating system-level privileges.
The vulnerability's impact extends far beyond the vCenter server itself. vCenter is the management plane for VMware virtualized infrastructure — an attacker who achieves RCE on vCenter gains the ability to control, snapshot, clone, and destroy every virtual machine under its management. In environments where VMware vSphere hosts domain controllers, databases, and critical application servers, vCenter compromise equals complete infrastructure takeover.
The Plugin Vulnerability: How CVE-2021-21985 Achieves Unauthenticated RCE
VMware vCenter Server ships with a set of pre-installed plugins that extend its management capabilities. One of these — the Virtual SAN (vSAN) Health Check plugin — is enabled by default even in environments that do not use vSAN storage. CVE-2021-21985 exists in this plugin's input validation handling.
The vSAN Health Check plugin exposes several API endpoints accessible through vCenter's web interface. These endpoints lack proper authentication checks in vulnerable versions, and they fail to validate or sanitize input before using it in backend operations. By sending a specially crafted HTTP request to the vulnerable endpoint, an unauthenticated attacker can inject commands that execute on the underlying operating system.
On Linux-based vCenter Server Appliance (VCSA) installations, code executes as root. On Windows-based vCenter Server installations (deprecated but still in use), code executes as SYSTEM. In both cases, the attacker gains unrestricted operating system access to the vCenter server — from which the entire vSphere infrastructure management plane is accessible.
Affected versions include vCenter Server 6.5, 6.7, and 7.0 before their respective patch releases, as well as Cloud Foundation 3.x and 4.x.
Identify vCenter instances
Scan for VMware vCenter Server web interfaces exposed on port 443. The vSphere Client login page is distinctive. Thousands of vCenter instances are directly internet-exposed; many more are reachable from internal network footholds.
Target vSAN Health Check plugin
Send unauthenticated HTTP requests to the vulnerable vSAN Health Check plugin API endpoint. No session token, cookie, or credential is required — the endpoint is accessible without authentication in affected versions.
Inject payload
Supply malicious input in the request that triggers unsanitized backend execution. The plugin processes the input and executes the injected commands as root (Linux VCSA) or SYSTEM (Windows vCenter).
Establish persistence on vCenter
Deploy a web shell or implant on the vCenter server, or create a new SSO administrator account for persistent access. vCenter's built-in user store allows account creation from the OS level.
Extend control across VMware infrastructure
From vCenter, issue commands to ESXi hosts — power off VMs, take snapshots (capturing memory with credentials), deploy new VMs from attacker-controlled templates, or encrypt virtual machine disk files directly at the hypervisor layer.
Why vCenter Compromise is a Crown Jewel Attack
vCenter Server occupies a unique position in enterprise infrastructure: it is the administrative control plane for the virtualized environment. In organizations where VMware vSphere hosts the majority of production workloads — a common configuration — a single vCenter compromise provides access to every system those VMs represent.
Attackers who compromise vCenter can perform several uniquely devastating actions not available through traditional endpoint compromise. They can take memory snapshots of running virtual machines, which capture encryption keys, process memory, and credentials from systems that may be otherwise hardened. They can deploy ransomware directly at the VMDK (virtual disk) level by shutting down VMs and encrypting their disk files — bypassing endpoint security agents running inside those VMs entirely. They can clone VMs to exfiltrate entire server environments offline for analysis.
Several ransomware groups — including REvil, Darkside (behind the Colonial Pipeline attack), and HelloKitty — have developed specialized ESXi/vCenter encryptors specifically targeting the hypervisor layer. CVE-2021-21985 provided direct unauthenticated access to this capability from a single internet-accessible HTTP request.
Exploitation was confirmed in the wild within days of disclosure. The vulnerability was added to CISA's Known Exploited Vulnerabilities catalog.
“Unauthenticated access to vCenter is functionally equivalent to unauthenticated access to every virtual machine it manages. The blast radius is the entire virtual infrastructure.”
— VMware Security Advisory VMSA-2021-0010
Patching and Securing VMware vCenter Against CVE-2021-21985
VMware released patches for vCenter 6.5, 6.7, and 7.0 on May 25, 2021. Patching must be treated as emergency priority. The following additional controls harden vCenter independent of the specific vulnerability.
Apply VMware patches from VMSA-2021-0010 immediately
Upgrade to vCenter Server 7.0 U2b, 6.7 U3n, or 6.5 U3p. For Cloud Foundation, apply the patches outlined in VMSA-2021-0010. The patch removes the authentication bypass in the vSAN Health Check plugin.
Isolate vCenter management access to a dedicated management network
vCenter should never be internet-accessible. Place vCenter and ESXi management interfaces on a dedicated management VLAN accessible only from jump hosts and bastion servers with enforced MFA. Firewall rules should block all other inbound access to port 443 on vCenter.
Disable unused vCenter plugins
As a defense-in-depth measure, disable vCenter plugins that are not in active use, including the vSAN Health Check plugin if vSAN is not deployed. Navigate to Menu > Administration > Client Plugins to review and disable unnecessary plugins.
Enforce vCenter SSO with MFA
Configure vCenter Single Sign-On to integrate with your identity provider and enforce multi-factor authentication. This does not prevent CVE-2021-21985 exploitation (which bypasses authentication entirely) but hardens against credential-based vCenter access.
Monitor vCenter for new administrator account creation
Audit vCenter SSO for unexpected new user accounts, particularly accounts with administrator roles in the vsphere.local domain. New accounts created from API calls rather than the UI — especially outside business hours — are a key compromise indicator.
The bottom line
CVE-2021-21985 exemplifies why hypervisor management plane security requires the same — or greater — rigor than perimeter security. An internet-exposed vCenter server with a CVSS 9.8 unauthenticated RCE is not just a server compromise. It is the keys to every virtual machine in the datacenter, with the ability to bypass every security control running inside those VMs.
The combination of unauthenticated access, root-level execution, and the virtualization management plane represents the highest possible blast radius from a single network-accessible vulnerability. Ransomware operators understand this, which is why dedicated VMware encryptors have become standard tools in advanced ransomware campaigns.
No vCenter instance should be internet-exposed. Management access should be exclusively via dedicated management networks with enforced MFA. If your vCenter is reachable on port 443 from untrusted networks, the question is not whether this particular CVE is patched — it is what other vulnerabilities in the same management plane remain undiscovered.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.