CVE-2021-22005: VMware vCenter Unauthenticated File Upload RCE
The analytics telemetry endpoint that gave attackers root on every virtual machine in the datacenter, no credentials, one HTTP request, 48 hours to mass exploitation

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2021-22005 is a critical arbitrary file upload vulnerability in VMware vCenter Server discovered by Positive Technologies and disclosed in September 2021. The flaw exists in the CEIP (Customer Experience Improvement Program) analytics service endpoint and allows any attacker with network access to the vCenter web interface to upload a JSP file and immediately execute it as the vCenter service account. Because vCenter manages every virtual machine, hypervisor, and workload in a vSphere environment, this single vulnerability effectively granted an attacker control of an organization's entire virtualized infrastructure. CISA issued Emergency Directive 21-04 and mass exploitation was underway within 48 hours of disclosure.
Vulnerability Details: The Analytics Endpoint
vCenter Server's CEIP telemetry collection exposes an HTTP API endpoint intended for internal analytics data submission. The vulnerable path, /analytics/telemetry/ph/api/hyper/send, accepted multipart file uploads without requiring any form of authentication.
By sending a crafted multipart HTTP POST to this endpoint, an attacker could upload an arbitrary file to a location on the vCenter server's filesystem. Uploading a JSP (JavaServer Pages) file to a web-accessible directory, readily identifiable via vCenter's publicly documented directory structure, allowed immediate code execution by issuing a subsequent HTTP request to the uploaded file.
The vCenter services run with elevated system privileges on the underlying operating system (Photon OS, VMware's custom Linux). Code execution through the JSP webshell carried those same privileges, providing broad access to the hypervisor management layer, credential stores, and all vCenter API functionality.
Why 48-Hour Mass Exploitation Was Inevitable
Several converging factors made rapid mass exploitation certain:
Zero authentication barrier: The vulnerable endpoint required no credentials, just network connectivity to port 443.
Documented file layout: vCenter's web root directory structure is publicly documented in VMware's administration guides, making webshell placement trivial.
Approximately 6,700 internet-exposed instances: Shodan and Censys scans revealed thousands of vCenter servers directly accessible from the internet at time of disclosure.
Extreme target value: vCenter is the management plane for virtualized infrastructure. Ransomware operators specifically prize vCenter access because encrypting VMware datastore files disables thousands of VMs in a single operation. Espionage actors value it for the breadth of network access it provides.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Attack Chain
The exploitation sequence from initial access to infrastructure control:
Locate vCenter HTTPS Interface
Identify vCenter instance, internet-facing on port 443 or accessible via internal network. The analytics endpoint is available on the same port as the vCenter web UI.
Unauthenticated File Upload
POST multipart request to /analytics/telemetry/ph/api/hyper/send containing a JSP webshell file. No authentication token, session cookie, or credentials required.
Webshell Access Confirmed
Attacker requests the uploaded JSP file via HTTPS to confirm execution context and service account identity. Webshell provides interactive OS command execution.
vCenter Full Compromise
Using webshell access, attacker extracts vCenter SSO credentials, vSphere admin passwords, and certificate material stored in the vCenter configuration. Persistent backdoor planted.
Mass VM Impact
With vCenter API access, attacker can snapshot and exfiltrate VM contents, deploy ransomware to datastores encrypting all VMs simultaneously, modify VM configurations, or use vCenter as a network pivot point to reach all connected segments.
Observed Post-Exploitation Activity
CISA's Emergency Directive 21-04 and subsequent reporting documented the following post-exploitation patterns:
Cryptocurrency mining: Multiple campaigns deployed XMRig and similar miners using vCenter compute resources, the lowest-sophistication but most immediately monetizable outcome.
Ransomware pre-positioning: Sophisticated operators used initial access to establish persistence and conduct reconnaissance before deploying ransomware against the virtualization layer. A single ransomware execution targeting VMware datastores could render thousands of VMs unbootable.
Persistent webshells: Nation-state-adjacent actors planted minimal webshells and maintained long-term dwell time for intelligence collection rather than immediately destructive operations.
Credential harvesting: The vCenter configuration database and SSO token stores contain credentials providing access to every VM managed by the instance and often to connected cloud environments.
Detection
Indicators for CVE-2021-22005 exploitation and post-compromise activity:
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Remediation
Steps in order of urgency:
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
CVE-2021-22005 demonstrates that the virtualization management plane is among the highest-value targets in any enterprise, and among the most catastrophically impactful when compromised. A single unauthenticated HTTP request gave attackers root on a system controlling every workload in the datacenter. vCenter should never be internet-accessible. If it was before September 21, 2021, treat it as compromised until a thorough forensic review proves otherwise.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
Is CVE-2021-22005 related to CVE-2021-21985 (the earlier vCenter RCE)?
They are distinct vulnerabilities in the same product, both rated CVSS 9.8 in 2021. [CVE-2021-21985](https://nvd.nist.gov/vuln/detail/CVE-2021-21985) (May 2021) was an RCE via the vSphere HTML5 client plugin mechanism. CVE-2021-22005 (September 2021) is a file upload RCE via the CEIP analytics service. Both require emergency patching; neither patches the other.
Does CVE-2021-22005 affect VMware Cloud Foundation?
Yes. VMware Cloud Foundation (VCF) bundles vCenter Server and was affected across versions 3.x and 4.x. VMware released separate VCF patches in the same VMSA-2021-0020 advisory.
If vCenter is not internet-facing, is the risk eliminated?
The unauthenticated remote exploitation risk is significantly reduced if vCenter is isolated behind a VPN or management VLAN with no external exposure. However, an attacker who gains any foothold on a network segment with vCenter access, via phishing, a compromised workstation, or any other means, can still exploit CVE-2021-22005 without credentials. Network isolation is a mitigation, not a complete fix. Patching remains mandatory.
What is CEIP and can disabling it mitigate CVE-2021-22005?
CEIP (Customer Experience Improvement Program) is VMware's telemetry collection service that gathers anonymous usage data. The vulnerable /analytics/telemetry endpoint is part of the CEIP service. VMware's workaround KB85734 provides a script that stops the CEIP analytics service, disabling the vulnerable endpoint as a temporary compensating control when immediate patching is not possible. However, this is a workaround, not a fix. The VMSA-2021-0020 patches are the complete remediation. Organizations should apply the workaround immediately and patch as soon as possible.
How does CVE-2021-22005 differ from CVE-2021-21985, the other 2021 vCenter RCE?
Both CVE-2021-21985 (May 2021) and CVE-2021-22005 (September 2021) are CVSS 9.8 unauthenticated RCE vulnerabilities in VMware vCenter Server, but they exploit entirely different attack surfaces. CVE-2021-21985 exploits input validation failures in the vSAN Health Check plugin's API endpoints. CVE-2021-22005 exploits an unauthenticated file upload in the CEIP analytics service telemetry endpoint. Patching one does not patch the other; they require separate remediation. Organizations that patched CVE-2021-21985 in May 2021 remained vulnerable to CVE-2021-22005 until applying VMSA-2021-0020 in September 2021.
Why did CISA issue an Emergency Directive (ED 21-04) for CVE-2021-22005?
CISA issued Emergency Directive 21-04 because CVE-2021-22005 combined three high-risk factors: unauthenticated exploitation requiring only network access, a CVSS score of 9.8 indicating near-maximum severity, and the hypervisor management plane as the target, which gives an attacker control over every VM in the affected environment. Federal agencies were required to patch or apply the workaround within 24 hours of the directive. The rapid mass exploitation timeline (48 hours from disclosure to widespread active exploitation) and the high concentration of VMware vSphere in federal and critical infrastructure environments justified the emergency designation.
Sources & references
- VMware Security Advisory VMSA-2021-0020
- CISA Emergency Directive 21-04
- Positive Technologies, CVE-2021-22005 Discovery
- Rapid7 AttackerKB Analysis
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
