VMware vCenter Exploit - CVE-2021-21972

The VMware vSphere Client (HTML5) component of VMware vCenter enables management of virtual environments for Windows and Linux hosts. vCenter has plugins that manage authorization for vSphere Client connections. A vulnerability in the vRealize Operations (vROPS) plugin allows an unauthenticated attacker with network access to a vSphere Client to upload malicious files to the vCenter server. After scanning the target to confirm the presence of the vulnerability, the attacker sends an HTTP POST request with a malicious TAR file to the /uploadova endpoint. Normally, the vROPS plugin decompresses and writes the file content to a restricted directory. But the malicious archive file includes directory traversal fragments, which force the vROPS plugin to write the file content to a directory that the unauthenticated attacker can access. After the vCenter server sends an HTTP response with a success message, the attacker can leverage the malicious file content to install a web shell, exfiltrate data, or perform actions on the vCenter server.