CVE-2021-22005: VMware vCenter Unauthenticated File Upload RCE
The analytics telemetry endpoint that gave attackers root on every virtual machine in the datacenter — no credentials, one HTTP request, 48 hours to mass exploitation
CVE-2021-22005 is a critical arbitrary file upload vulnerability in VMware vCenter Server discovered by Positive Technologies and disclosed in September 2021. The flaw exists in the CEIP (Customer Experience Improvement Program) analytics service endpoint and allows any attacker with network access to the vCenter web interface to upload a JSP file and immediately execute it as the vCenter service account. Because vCenter manages every virtual machine, hypervisor, and workload in a vSphere environment, this single vulnerability effectively granted an attacker control of an organization's entire virtualized infrastructure. CISA issued Emergency Directive 21-04 and mass exploitation was underway within 48 hours of disclosure.
Vulnerability Details: The Analytics Endpoint
vCenter Server's CEIP telemetry collection exposes an HTTP API endpoint intended for internal analytics data submission. The vulnerable path — /analytics/telemetry/ph/api/hyper/send — accepted multipart file uploads without requiring any form of authentication.
By sending a crafted multipart HTTP POST to this endpoint, an attacker could upload an arbitrary file to a location on the vCenter server's filesystem. Uploading a JSP (JavaServer Pages) file to a web-accessible directory — readily identifiable via vCenter's publicly documented directory structure — allowed immediate code execution by issuing a subsequent HTTP request to the uploaded file.
The vCenter services run with elevated system privileges on the underlying operating system (Photon OS, VMware's custom Linux). Code execution through the JSP webshell carried those same privileges, providing broad access to the hypervisor management layer, credential stores, and all vCenter API functionality.
Why 48-Hour Mass Exploitation Was Inevitable
Several converging factors made rapid mass exploitation certain:
**Zero authentication barrier**: The vulnerable endpoint required no credentials — just network connectivity to port 443.
**Documented file layout**: vCenter's web root directory structure is publicly documented in VMware's administration guides, making webshell placement trivial.
**Approximately 6,700 internet-exposed instances**: Shodan and Censys scans revealed thousands of vCenter servers directly accessible from the internet at time of disclosure.
**Extreme target value**: vCenter is the management plane for virtualized infrastructure. Ransomware operators specifically prize vCenter access because encrypting VMware datastore files disables thousands of VMs in a single operation. Espionage actors value it for the breadth of network access it provides.
Attack Chain
The exploitation sequence from initial access to infrastructure control:
Locate vCenter HTTPS Interface
Identify vCenter instance — internet-facing on port 443 or accessible via internal network. The analytics endpoint is available on the same port as the vCenter web UI.
Unauthenticated File Upload
POST multipart request to /analytics/telemetry/ph/api/hyper/send containing a JSP webshell file. No authentication token, session cookie, or credentials required.
Webshell Access Confirmed
Attacker requests the uploaded JSP file via HTTPS to confirm execution context and service account identity. Webshell provides interactive OS command execution.
vCenter Full Compromise
Using webshell access, attacker extracts vCenter SSO credentials, vSphere admin passwords, and certificate material stored in the vCenter configuration. Persistent backdoor planted.
Mass VM Impact
With vCenter API access, attacker can snapshot and exfiltrate VM contents, deploy ransomware to datastores encrypting all VMs simultaneously, modify VM configurations, or use vCenter as a network pivot point to reach all connected segments.
Observed Post-Exploitation Activity
CISA's Emergency Directive 21-04 and subsequent reporting documented the following post-exploitation patterns:
**Cryptocurrency mining**: Multiple campaigns deployed XMRig and similar miners using vCenter compute resources — the lowest-sophistication but most immediately monetizable outcome.
**Ransomware pre-positioning**: Sophisticated operators used initial access to establish persistence and conduct reconnaissance before deploying ransomware against the virtualization layer. A single ransomware execution targeting VMware datastores could render thousands of VMs unbootable.
**Persistent webshells**: Nation-state-adjacent actors planted minimal webshells and maintained long-term dwell time for intelligence collection rather than immediately destructive operations.
**Credential harvesting**: The vCenter configuration database and SSO token stores contain credentials providing access to every VM managed by the instance and often to connected cloud environments.
Detection
Indicators for CVE-2021-22005 exploitation and post-compromise activity:
| Artifact | Type | SHA-256 (Truncated) |
|---|---|---|
| POST requests to /analytics/telemetry/ph/api/hyper/send from external IP addresses | vCenter access log / network log | Any external POST to this telemetry endpoint with multipart content-type is a direct exploitation attempt; log and alert |
| Unexpected .jsp files in vCenter web root directories | Filesystem — vCenter Photon OS | Check /usr/lib/vmware-sso/vmware-sts/webapps/ and related paths for JSP files not matching the default vCenter installation manifest |
| vmware-sps or vsphere-ui processes spawning unexpected child processes (curl, wget, bash, python) | Process telemetry — vCenter Photon OS | vCenter web processes should not spawn interactive shell children; any such tree indicates webshell execution |
| Outbound HTTPS or DNS requests from vCenter server to non-VMware infrastructure | Network telemetry | vCenter normally communicates with VMware licensing servers and configured endpoints only; external callback traffic indicates compromise |
Any instance of msimg32.dll found outside C:\Windows\System32 is an active IOC. Isolate the host immediately. Full hashes and IOC lists are available via the Cisco Talos GitHub repository.
Remediation
Steps in order of urgency:
Apply VMware patch VMSA-2021-0020 immediately
Patches are available for vCenter Server 7.0 (7.0 U2d) and 6.7 (6.7 U3o). VMware also published a workaround script (KB85734) that disables the vulnerable analytics endpoint service if patching cannot be applied immediately.
Remove vCenter from internet exposure
vCenter should be accessible only from management VLANs or through a VPN/jump host. This eliminates unauthenticated network access and significantly reduces the attack surface for this and future vCenter vulnerabilities. This architectural change should be treated as a permanent requirement, not a temporary workaround.
Audit vCenter web root for unauthorized JSP files
SSH to the vCenter Photon OS appliance and compare JSP files in web-accessible directories against the expected VMware installation manifest. Any unexpected JSP file indicates either exploitation or a misconfiguration requiring immediate investigation.
Review vCenter access logs for exploitation indicators
Check /var/log/vmware/vsphere-ui/logs/ and related paths for POST requests to /analytics paths. If exploitation indicators are found, proceed to full incident response rather than patch-only remediation.
Rotate vCenter SSO passwords and service credentials
If compromise is suspected or confirmed, rotate all vCenter SSO admin passwords, service account credentials, and SSL certificates. Revoke and reissue all certificates on the appliance. Invalidate all active sessions.
The bottom line
CVE-2021-22005 demonstrates that the virtualization management plane is among the highest-value targets in any enterprise — and among the most catastrophically impactful when compromised. A single unauthenticated HTTP request gave attackers root on a system controlling every workload in the datacenter. vCenter should never be internet-accessible. If it was before September 21, 2021, treat it as compromised until a thorough forensic review proves otherwise.
Frequently asked questions
Is CVE-2021-22005 related to CVE-2021-21985 (the earlier vCenter RCE)?
They are distinct vulnerabilities in the same product, both rated CVSS 9.8 in 2021. CVE-2021-21985 (May 2021) was an RCE via the vSphere HTML5 client plugin mechanism. CVE-2021-22005 (September 2021) is a file upload RCE via the CEIP analytics service. Both require emergency patching; neither patches the other.
Does CVE-2021-22005 affect VMware Cloud Foundation?
Yes. VMware Cloud Foundation (VCF) bundles vCenter Server and was affected across versions 3.x and 4.x. VMware released separate VCF patches in the same VMSA-2021-0020 advisory.
If vCenter is not internet-facing, is the risk eliminated?
The unauthenticated remote exploitation risk is significantly reduced if vCenter is isolated behind a VPN or management VLAN with no external exposure. However, an attacker who gains any foothold on a network segment with vCenter access — via phishing, a compromised workstation, or any other means — can still exploit CVE-2021-22005 without credentials. Network isolation is a mitigation, not a complete fix. Patching remains mandatory.
Sources & references
- VMware Security Advisory VMSA-2021-0020
- CISA Emergency Directive 21-04
- Positive Technologies — CVE-2021-22005 Discovery
- Rapid7 AttackerKB Analysis
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.