Patch vCenter Server “right now”, VMWare expects CVE-2021-22005 exploitation within minutes of disclosure

VMware is urging users of vCenter server to patch no fewer than 19 problems affecting its products.

These updates fix a variety of security vulnerabilities, but and one of them is particularly nasty. That would be CVE-2021-22005, a critical file upload vulnerability with a CVSS score of 9.8 out of 10.

It’s so bad the company is advising users to sort it out “right now:

These updates fix a critical security vulnerability, and your response needs to be considered at once. Organizations that practice change management using the ITIL definitions of change types would consider this an “emergency change.”


vServer Center is a way to manage large infrastructure. If you have lots of hosts and virtual machines, this is a very good way to manage every aspect of your setup. With this in mind, if someone manages to compromise your vCenter, it probably won’t end well.

And that’s exactly what CVE-2021-22005 does. It’s a file upload vulnerability and anyone with access to vServer Center over a network can exploit it. The configuration settings of vServer Center don’t make any difference. If criminals get network access they can upload a specially made file and use it to execute code on the vServer Center.

As VMware points out, bad actors are often already in your network. They wait patiently to strike. It’s likely they’ll exfiltrate data slowly and nobody will ever know they’re there. Being able to snag a win like this for themselves could increase the threat from ransomware and other malicious activity.

What should I do?

Well, patch immediately is definitely the go-to advice. If an emergency patch falls outside how you usually do things, VMware mentions, but it really does impress upon readers that patching needs to be done as soon as possible. It is, perhaps, unusual (and refreshing) to see an organisation stress this fact so plainly, so kudos for being so forthright.

Is my vServer setup affected by this?

It depends. Some versions, such as vCenter Server 6.5, are not affected. Others are. You should refer to the dedicated rundown on this issue and take appropriate action as soon as you possibly can. We’ll leave the last word to VMware with regard to when you should be patching:

Immediately, the ramifications of this vulnerability are serious and it is a matter of time – likely minutes after the disclosure – before working exploits are publicly available.

With the threat of ransomware looming nowadays the safest stance is to assume that an attacker may already have control of a desktop and a user account through the use of techniques like phishing or spearphishing, and act accordingly. This means the attacker may already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence.

This seems like very good advice.