< Back to all blog posts

GreyNoise Identifies Vulnerability Checks of VMWare vCenter Remote File Upload (CVE-2021-22005)

The GreyNoise Team

On September 21, 2021 VMWare published an advisory for several vulnerabilities. This included, most notably, CVE-2021-22005, which affects their vCenter Server product. This vulnerability is an arbitrary file upload vulnerability that can lead to remote code execution (RCE) via upload of a specially crafted file. This works regardless of the configuration settings of vCenter Server.

Due to the severity of this vulnerability, VMWare published workaround instructions detailing how to manually or automatically patch the affected products. The automated patching script (available in the right-hand panel in the link above) includes logic to validate if your product is vulnerable to CVE-2021-22005 as well as confirm the patch has worked as expected.

As of September 23, 2021, there is no known publicly available proof-of-concept (PoC) code for the CVE that enables arbitrary file upload or RCE. However, GreyNoise is observing a significant number of checks for vulnerable instances of vCenter Server based off of the automated patching script provided by VMWare, most of these egressing via Tor.

Figure 1: Count of CVE-2021-22005 Vulnerability Checks by Day

The following tags have been released to enable monitoring of relevant activity:

Editors Note: If either of these tags return "no results'' this means that we have not observed any recent activity. You can be notified if this changes by using our Alerts feature.