Is CVE-2021-21972 actively exploited?

CVE-2021-21972 has no public evidence of in-the-wild exploitation as of 2025-10-30.

What is the CVSS score for CVE-2021-21972?

CVE-2021-21972 has a CVSS score of 9.8 (CRITICAL severity). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

How do I patch CVE-2021-21972?

Patch guidance is available from vmware security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2021-21972.

Fix CVE-2021-21972 - CRITICAL vmware cloud foundation

Q: Which products are affected by CVE-2021-21972?

43 products: vmware cloud foundation, vmware cloud foundation, vmware vcenter server, vmware vcenter server, vmware vcenter server, and 38 more.

Description

The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector: network
Complexity: low
Privileges: none
User Action: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high
Weaknesses: CWE-22 · Path Traversal CWE-22 · Path Traversal

Metadata

Primary Vendor: VMWARE
Published: 2/24/2021
Last Modified: 10/30/2025
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

vmware : cloud_foundationvmware : cloud_foundationvmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_servervmware : vcenter_server

Remediation Guidance

Executive Summary

View on NIST NVD