CVE-2021-21985 Explained: VMware vCenter Server Remote Code Execution
A CVSS 9.8 unauthenticated RCE in VMware vCenter Server's vSphere Client. Compromise the hypervisor management plane and you own every virtual machine it controls.

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2021-21985 is a critical unauthenticated remote code execution vulnerability in VMware vCenter Server and VMware Cloud Foundation. Disclosed May 25, 2021, with a CVSS score of 9.8, it allows an unauthenticated attacker with network access to vCenter's HTTPS management port (443) to achieve RCE with operating system-level privileges.
The vulnerability's impact extends far beyond the vCenter server itself. vCenter is the management plane for VMware virtualized infrastructure, an attacker who achieves RCE on vCenter gains the ability to control, snapshot, clone, and destroy every virtual machine under its management. In environments where VMware vSphere hosts domain controllers, databases, and critical application servers, vCenter compromise equals complete infrastructure takeover.
The Plugin Vulnerability: How CVE-2021-21985 Achieves Unauthenticated RCE
VMware vCenter Server ships with a set of pre-installed plugins that extend its management capabilities. One of these, the Virtual SAN (vSAN) Health Check plugin, is enabled by default even in environments that do not use vSAN storage. CVE-2021-21985 exists in this plugin's input validation handling.
The vSAN Health Check plugin exposes several API endpoints accessible through vCenter's web interface. These endpoints lack proper authentication checks in vulnerable versions, and they fail to validate or sanitize input before using it in backend operations. By sending a specially crafted HTTP request to the vulnerable endpoint, an unauthenticated attacker can inject commands that execute on the underlying operating system.
On Linux-based vCenter Server Appliance (VCSA) installations, code executes as root. On Windows-based vCenter Server installations (deprecated but still in use), code executes as SYSTEM. In both cases, the attacker gains unrestricted operating system access to the vCenter server, from which the entire vSphere infrastructure management plane is accessible.
Affected versions include vCenter Server 6.5, 6.7, and 7.0 before their respective patch releases, as well as Cloud Foundation 3.x and 4.x.
Identify vCenter instances
Scan for VMware vCenter Server web interfaces exposed on port 443. The vSphere Client login page is distinctive. Thousands of vCenter instances are directly internet-exposed; many more are reachable from internal network footholds.
Target vSAN Health Check plugin
Send unauthenticated HTTP requests to the vulnerable vSAN Health Check plugin API endpoint. No session token, cookie, or credential is required, the endpoint is accessible without authentication in affected versions.
Inject payload
Supply malicious input in the request that triggers unsanitized backend execution. The plugin processes the input and executes the injected commands as root (Linux VCSA) or SYSTEM (Windows vCenter).
Establish persistence on vCenter
Deploy a web shell or implant on the vCenter server, or create a new SSO administrator account for persistent access. vCenter's built-in user store allows account creation from the OS level.
Extend control across VMware infrastructure
From vCenter, issue commands to ESXi hosts, power off VMs, take snapshots (capturing memory with credentials), deploy new VMs from attacker-controlled templates, or encrypt virtual machine disk files directly at the hypervisor layer.
Why vCenter Compromise is a Crown Jewel Attack
vCenter Server occupies a unique position in enterprise infrastructure: it is the administrative control plane for the virtualized environment. In organizations where VMware vSphere hosts the majority of production workloads, a common configuration, a single vCenter compromise provides access to every system those VMs represent.
Attackers who compromise vCenter can perform several uniquely devastating actions not available through traditional endpoint compromise. They can take memory snapshots of running virtual machines, which capture encryption keys, process memory, and credentials from systems that may be otherwise hardened. They can deploy ransomware directly at the VMDK (virtual disk) level by shutting down VMs and encrypting their disk files, bypassing endpoint security agents running inside those VMs entirely. They can clone VMs to exfiltrate entire server environments offline for analysis.
Several ransomware groups, including REvil, Darkside (behind the Colonial Pipeline attack), and HelloKitty, have developed specialized ESXi/vCenter encryptors specifically targeting the hypervisor layer. CVE-2021-21985 provided direct unauthenticated access to this capability from a single internet-accessible HTTP request.
Exploitation was confirmed in the wild within days of disclosure. The vulnerability was added to CISA's Known Exploited Vulnerabilities catalog.
“Unauthenticated access to vCenter is functionally equivalent to unauthenticated access to every virtual machine it manages. The blast radius is the entire virtual infrastructure.”
VMware Security Advisory VMSA-2021-0010
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Patching and Securing VMware vCenter Against CVE-2021-21985
VMware released patches for vCenter 6.5, 6.7, and 7.0 on May 25, 2021. Patching must be treated as emergency priority. The following additional controls harden vCenter independent of the specific vulnerability.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
CVE-2021-21985 exemplifies why hypervisor management plane security requires the same, or greater, rigor than perimeter security. An internet-exposed vCenter server with a CVSS 9.8 unauthenticated RCE is not just a server compromise. It is the keys to every virtual machine in the datacenter, with the ability to bypass every security control running inside those VMs.
The combination of unauthenticated access, root-level execution, and the virtualization management plane represents the highest possible blast radius from a single network-accessible vulnerability. Ransomware operators understand this, which is why dedicated VMware encryptors have become standard tools in advanced ransomware campaigns.
No vCenter instance should be internet-exposed. Management access should be exclusively via dedicated management networks with enforced MFA. If your vCenter is reachable on port 443 from untrusted networks, the question is not whether this particular CVE is patched, it is what other vulnerabilities in the same management plane remain undiscovered.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is CVE-2021-21985 and why is vCenter compromise so severe?
CVE-2021-21985 is a CVSS 9.8 unauthenticated RCE in VMware vCenter Server's vSphere Client. The vulnerability exists in the Virtual SAN Health Check plugin, enabled by default, which lacks authentication checks. An attacker with network access to port 443 achieves root or SYSTEM execution on vCenter. Because vCenter is the management plane for the entire VMware virtual infrastructure, this grants control over every VM it manages: the ability to power off, snapshot, clone, or encrypt virtual disk files for all hosted workloads.
How do I fix CVE-2021-21985?
Apply patches from VMware Security Advisory VMSA-2021-0010: upgrade to vCenter Server 7.0 U2b, 6.7 U3n, or 6.5 U3p. Immediately isolate vCenter management access to a dedicated management VLAN, vCenter should never be internet-accessible. As defense-in-depth, disable unused plugins including vSAN Health Check if vSAN is not in use, and enforce MFA on vCenter SSO.
How did ransomware groups exploit CVE-2021-21985?
Ransomware groups including REvil, Darkside, and HelloKitty developed specialized ESXi and vCenter encryptors that exploit hypervisor-level access to encrypt VMDK (virtual disk) files directly, bypassing endpoint security agents running inside VMs. CVE-2021-21985 provided unauthenticated entry to this capability, enabling attackers to deploy ransomware against entire virtual infrastructure environments from a single network-accessible HTTP request.
Which vCenter Server versions are affected by CVE-2021-21985?
VMware vCenter Server 6.5 (all builds before 6.5 U3p), vCenter Server 6.7 (all builds before 6.7 U3n), and vCenter Server 7.0 (all builds before 7.0 U2b) are all vulnerable to CVE-2021-21985. The Virtual SAN Health Check plugin is enabled by default across all three versions. VMware Cloud Foundation 3.x and 4.x are also affected through their bundled vCenter components. VMware released patches on May 25, 2021 with no workaround available other than disabling the plugin via the vSphere Web Client.
Why is vCenter compromise worse than compromising a single server?
vCenter is the management plane for an entire VMware virtual infrastructure, meaning a single attacker with vCenter admin access controls every VM, host, network, and storage object in the environment. Compromise enables deploying new VMs with attacker-controlled payloads across all connected ESXi hosts, cloning or snapshotting any VM for data exfiltration, shutting down or deleting all guest VMs simultaneously, modifying VM configurations to disable security controls, and pivoting across all network segments connected to any VM. This hypervisor-level control is why ransomware groups specifically targeted vCenter.
How can I detect exploitation of CVE-2021-21985 on my vCenter?
Review vCenter audit logs for unexpected administrative account creation or privilege escalation events following May 2021. Check for unfamiliar VM snapshots, cloned VMs, or newly created VMs you did not provision. Look for unusual ESXi host additions or modifications to distributed virtual switch configurations. Inspect authentication logs for access from unexpected source IPs. Review /var/log/vmware/vpxd/vpxd.log for abnormal plugin API calls to the Virtual SAN Health Check endpoint. CISA also recommended scanning for web shells in the vCenter file system as a post-exploitation indicator.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
