Working exploit released for critical VMware vCenter vulnerability

Working exploit released for critical VMware vCenter vulnerability

A working exploit for the CVE-2021-22005 VMware vCenter flaw has been made publicly available and is reportedly being used by threat actors, warn security researchers.

Unlike the version that started making rounds at the end of last week, a PoC code released on Monday by Rapid7 security engineer William Vu (who is known on Twitter as wvu) allows to open a reverse shell on a vulnerable system, allowing remote attackers to execute arbitrary code. The exploit works against endpoints with the Customer Experience Improvement Program (CEIP) component enabled.

Will Dormann, vulnerability analyst at the CERT/CC, also confirmed on Twitter that the exploit for CVE-2021-22005 is now fully public.

CVE-2021-22005 is an arbitrary file upload vulnerability within the Analytics service of vCenter Server, which allows a remote non-authenticated attacker to upload and execute an arbitrary file on the server and thus fully compromise the system. The bug affects vCenter Server 6.5, 6.7, and 7.0.

On September 24, VMware had confirmed reports that CVE-2021-22005 was being exploited in the wild and multiple security researchers reported mass scanning for vulnerable vCenter Servers.

VMware has released Security Advisory VMSA-2021-0020 for patching information and also provided temporary workaround for CVE-2021-22005 for those unable to upgrade to a fixed version immediately.

In an advisory on Friday, the US Cybersecurity and Infrastructure Security Agency (CISA) also urged critical infrastructure entities and other organizations with affected vCenter Servers update the machines immediately or to apply the temporary workaround from VMware.


Back to the list

Latest Posts

Cyber Security Week in Review: July 25, 2025

Cyber Security Week in Review: July 25, 2025

In brief: Microsoft SharePoint zero-days exploited in widespread attacks, the Russian aerospace and defense industries targeted in Operation CargoTalon, and more.
25 July 2025
Microsoft warns of Warlock ransomware attacks exploiting SharePoint flaws

Microsoft warns of Warlock ransomware attacks exploiting SharePoint flaws

The attackers are using the flaws to deploy a malicious web shell named spinstall0.aspx.
24 July 2025
Lumma infostealer returns after May police crackdown

Lumma infostealer returns after May police crackdown

Lumma has shifted away from previous use of Cloudflare and is now leveraging alternative cloud services, particularly the Russian provider Selectel.
23 July 2025