DETECTION OVERVIEW

VMware vCenter Exploit - CVE-2021-22005

Risk Factors

This vCenter vulnerability is well known and requires network access to port 443 on a vCenter server. An unauthenticated attacker can leverage public exploit code to gain complete control of a device or escalate privileges to spread malware, such as ransomware, across the network.

Kill Chain

Exploitation

Risk Score

Attack Background

VMware vCenter Server enables the management of virtual environments for Windows and Linux hosts. The Analytics service in vCenter has a vulnerability that allows an unauthenticated attacker to successfully upload a file with a malicious payload. The attacker sends a specially crafted HTTP POST request, which contains the malicious payload and path traversal fragments in a query parameter value, to an Analytics service endpoint on port 443 (1). The vulnerable vCenter sends a response to indicate that the malicious POST request was accepted (2) and runs malicious code in the file on the server.

Mitigation Options

Install relevant patches for affected versions

Professional Services

Partners

Partner Login

Partner Finder

View All Use Cases

View All Industries

View All Integrations

Attack Background

Mitigation Options

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use cases