article featured image


Cybercriminals are scanning for VMware vCenter servers vulnerable to severe remote code execution (RCE) bug affecting all vCenter deployments and patched by VMware ten days ago.

Last week, the threat intelligence company Bad Packets was the first to see the ongoing scanning activity, later corroborated by cybersecurity specialist Kevin Beaumont.

The flaw, tracked as CVE-2021-21985, is situated in the VCenter Server, an instrument for running virtualization in big data centers.

A VMware press release issued last week stated vCenter machines utilizing default configurations have a vulnerability that, in many networks, enables the implementation of malicious code when the machines can be reached on a port that is exposed to the Internet.

On Wednesday, a researcher published a proof-of-concept (PoC) code that exploits the vulnerability. Another specialist declared the exploit is able to be trusted and that little extra work is required to use the code for malicious purposes.

It can be reproduced using five requests from cURL, a command-line tool that transfers data using HTTP, HTTPS, IMAP, and other common Internet protocols.

Thousands of vulnerable vCenter servers are reachable over the Internet at the moment, according to the Shodan search engine for Internet-connected devices.

The security vulnerability can be remotely abused by unauthorized threat actors in less complicated attacks which don’t need user interaction.

Successful exploitation enables cybercriminals to assume control of a company’s entire network, seeing that IT departments and administrators use VMware vCenter servers to manage VMware solutions deployed across organization environments.

The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.

Virtual SAN Health Check plug-in is enabled by default in all vCenter Server deployments, whether or not vSAN is being used.


Following the release of security updates to address the bug tracked as CVE-2021-21985, VMware alerted that these updates mend a severe security flaw and it needs to be taken into consideration immediately.

The company also added that this bug can be employed by anyone who can reach vCenter Server over the network to obtain access, regardless of whether you use vSAN or not.

As we said before, vCenter lives in potentially unprotected parts of big companies’ networks. Once threat actors acquire control of the machines, it’s frequently just a matter of time before they can move to parts of the network that enable the installation of espionage malware or ransomware.

Multiple ransomware groups, including Darkside, RansomExx, and Babuk Locker have exploited VMWare ESXi pre-auth RCE bugs to encrypt virtual hard disks used as centralized enterprise storage space.

In this era of ransomware, it is safest to assume that an attacker is already inside the network somewhere, on a desktop, and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible.


The organization also provides workaround measures created to eliminate the attack vector and chance of exploitation by setting the affected plug-ins to “incompatible” for those who cannot instantly carry out the security updates.

Admins in charge of vCenter machines that have yet to patch CVE-2021-21985 should install the update as quickly as possible.

Our Automated Heimdal™ Patch & Asset Management solution will automatically install updates based on your configured policies, without the need for manual input. As soon as 3rd party vendors release new patches, our technology silently deploys them to your endpoints, without the need for reboots or user interruption.


Heimdal Official Logo
Automate your patch management routine.

Heimdal® Patch & Asset Management Software

Remotely and automatically install Windows, Linux and 3rd party application updates and manage your software inventory.
  • Schedule updates at your convenience;
  • See any software assets in inventory;
  • Global deployment and LAN P2P;
  • And much more than we can fit in here...
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Author Profile

Antonia Din

PR & Video Content Manager

linkedin icon

As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.