Back to blog
VMwarevCenterESXiCVE-2021-21985ransomwarevirtualization

VMware vCenter and ESXi: Critical CVEs Threatening Your Virtual Infrastructure

VMware vCenter Server and ESXi concentrate critical vulnerabilities regularly exploited by ransomware gangs. Analysis of major CVEs and how to secure your virtualization infrastructure.

April 23, 20263 min read

VMware's virtualization infrastructure — vCenter Server for management and ESXi as the hypervisor — sits at the heart of thousands of enterprise datacenters. Compromising it means access to every hosted virtual machine. That's why ransomware gangs prioritize VMware as a target.

Why VMware is a Priority Target

Compromising vCenter or ESXi grants access to:

  • All VMs in the datacenter (shutdown, encryption, exfiltration)
  • Snapshots and backups stored on datastores
  • Network traffic between VMs via vSwitches
  • Administrator credentials stored in vCenter

Ransomware deployed at the hypervisor level can encrypt all VMs simultaneously in minutes — without needing to compromise each guest OS individually.

CVE-2021-21985: RCE in vCenter (CVSS 9.8)

The Vulnerability

A remote code execution flaw in the Virtual SAN Health Check plugin of vCenter Server. This plugin is enabled by default even if you don't use vSAN. An attacker with access to vCenter's port 443 can execute arbitrary code.

Affected versions: vCenter Server 6.5, 6.7, 7.0

Massively exploited in the weeks following its May 2021 disclosure, particularly for deploying web shells and cryptocurrency miners.

CVE-2021-22005: Arbitrary File Upload (CVSS 9.8)

A flaw in vCenter's Analytics service allowed an attacker to upload arbitrary files to the server, leading to code execution. Exploited as a zero-day immediately upon its September 2021 disclosure.

CVE-2022-22954: RCE via SSTI (CVSS 9.8)

A Server-Side Template Injection in VMware Workspace ONE Access and Identity Manager. A public exploit was available within hours of disclosure, massively exploited to deploy cryptocurrency miners and backdoors.

CVE-2023-20867: ESXi Auth Bypass (CVSS 3.9 — Critical in Practice)

Used by group UNC3886 as part of an advanced ESXi attack chain. Despite its relatively low CVSS score, it allowed executing commands on VMs from a compromised ESXi hypervisor without authentication within the VM.

The ESXiArgs Campaign (2023)

In February 2023, the ESXiArgs campaign targeted thousands of unpatched ESXi servers exposed to the internet, exploiting CVE-2021-21974 (heap overflow in ESXi's OpenSLP service, CVSS 8.8) to deploy ransomware encrypting .vmdk files (virtual disks).

Impact:

  • Several thousand ESXi servers encrypted within days
  • Primary target: unpatched ESXi 6.x and 7.x
  • CISA published a recovery script for some victims
# Check if ESXi is vulnerable to CVE-2021-21974
esxcli network firewall ruleset list | grep slpd
# SLP should be disabled

Securing VMware vCenter and ESXi

1. Isolate vCenter from the General Network

vCenter should never be accessible from the internet. Place it in a dedicated management network with access only from bastion hosts.

# Minimum vCenter firewall rules
443/tcp → administrators only (whitelisted IPs)
Block all internet access

2. Disable Unnecessary Plugins

# Via vSphere Web Client
Administration → Solutions → Client Plugins
→ Disable Virtual SAN Health Check if vSAN is not used
→ Disable VMware HCX, vSphere Replication if not used

3. Disable SLP on ESXi

# Disable the SLP service (exploited by ESXiArgs)
/etc/init.d/slpd stop
esxcli network firewall ruleset set -r CIMSLP -e false
chkconfig slpd off

4. Enable vSphere Authentication Proxy and MFA

Enable multi-factor authentication for vCenter access, ideally via integration with your IdP (Active Directory, Okta, etc.).

5. Segment ESXi Management Traffic

ESXi VMkernel management traffic must be on a dedicated VLAN, not routable from user networks.

6. Out-of-Band Backups

VM backups must be stored in a backup system isolated from vCenter — ransomware that compromises vCenter can also delete native VMware snapshots and backups.

VMware Patch Management: Key Specifics

VMware publishes patches via VMware Customer Connect. For ESXi, use the Update Manager integrated in vCenter or the CLI:

# Check available patches for ESXi
esxcli software profile get

# Update via VIB
esxcli software vib update -d /vmfs/volumes/datastore/patch.zip

Note: some ESXi patches require a hypervisor reboot — plan maintenance windows with prior vMotion migration.

Register your vCenter and ESXi versions in your asset inventory on cveo.tech to receive automatic alerts on new VMware CVEs.

Monitor CVEs with AI

AI-powered search, CVSS scoring, asset monitoring and automatic alerts.

Try AI search →Create free account

Related articles

Patch Management Guide: How to Handle CVEs Quickly and Effectively

Learn how to build a robust CVE patch management process: SLAs by severity, key steps, tools, and common mistakes to avoid to protect your infrastructure.

How to Monitor CVE Vulnerabilities Across Your IT Assets

A complete guide to tracking and managing CVEs affecting your IT infrastructure: methods, tools, and best practices for IT teams and security managers.

How to Conduct a CVE Security Audit of Your IT Infrastructure

Complete guide to conducting a CVE security audit: asset inventory, vulnerability scanning, CVSS scoring, remediation planning, and CISO best practices.