Vulnerabilities ›

CVE-2021-21973

Critical 🇺🇸 CISA KEV ⚡ Exploit Available

VMware vCenter Server and Cloud Foundation Server Side Request Forgery (SSRF) Vulnerability — VMware vCenter Server and Cloud Foundation Server contain a SSRF vulnerability due to improper validation

                    Published: Mar 7, 2022                                          ·  Source: CISA_KEV                

CVSS v3

9.0

🔗 NVD Official

📄 Description (English)

🤖 AI Executive Summary

CVE-2021-21973 is a critical Server-Side Request Forgery (SSRF) vulnerability in VMware vCenter Server and Cloud Foundation affecting versions prior to patching. With a CVSS score of 9.0 and publicly available exploits, this vulnerability enables attackers to bypass network controls and access sensitive internal resources, leading to information disclosure. Immediate patching is essential for all Saudi organizations running these virtualization platforms.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 20, 2026 01:16

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability poses severe risk to Saudi critical infrastructure sectors: (1) Banking & Financial Services (SAMA-regulated) — vCenter manages virtualized banking infrastructure and payment systems; (2) Government & Defense (NCA oversight) — federal data centers rely on VMware for classified workloads; (3) Energy Sector (ARAMCO, SEC) — critical SCADA and operational technology virtualization; (4) Telecommunications (STC, Mobily) — network infrastructure and customer data centers; (5) Healthcare (MOH) — patient data and medical imaging systems. SSRF exploitation could expose internal APIs, credentials, and sensitive databases across these sectors.

🏢 Affected Saudi Sectors

Banking & Financial Services Government & Defense Energy & Utilities Telecommunications Healthcare Critical Infrastructure

🎯 MITRE ATT&CK Techniques

T1190 — Exploit Public-Facing Application (vCenter plugin exploitation) T1021 — Remote Services (SSRF to access internal services) T1040 — Network Sniffing (SSRF to intercept internal traffic) T1557 — Man-in-the-Middle (SSRF to proxy internal requests) T1526 — Network Service Discovery (SSRF for internal reconnaissance) T1087 — Account Discovery (SSRF to enumerate internal accounts) T1580 — Cloud Infrastructure Discovery (Cloud Foundation reconnaissance)

⚖️ Saudi Risk Score (AI)

9.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all VMware vCenter Server and Cloud Foundation instances in your environment using asset discovery tools

2. Check current versions against VMware security advisory — affected versions include vCenter 6.5, 6.7, 7.0 prior to specific patch levels

3. Implement network segmentation to restrict vCenter Server access to authorized administrators only

4. Disable unnecessary vCenter plugins and review plugin configurations

PATCHING GUIDANCE:

1. Apply VMware security patches immediately (vCenter 7.0 U1c, 6.7 U3l, or later)

2. Test patches in non-production environment first

3. Schedule maintenance windows for production patching

4. Verify patch application using VMware's verification tools

COMPENSATING CONTROLS (if immediate patching not possible):

1. Implement Web Application Firewall (WAF) rules to block suspicious URL patterns in vCenter requests

2. Restrict outbound connections from vCenter Server to internal networks using firewall rules

3. Monitor and log all vCenter API calls and plugin activities

4. Implement strict input validation on all vCenter plugin endpoints

5. Use VPN/bastion hosts for all vCenter administrative access

DETECTION RULES:

1. Monitor for HTTP requests from vCenter Server to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)

2. Alert on vCenter plugin requests containing file:// or gopher:// protocols

3. Track failed authentication attempts to internal services originating from vCenter

4. Monitor for unusual DNS queries from vCenter Server process

5. Log and alert on vCenter API calls with suspicious URL parameters

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع مثيلات VMware vCenter Server و Cloud Foundation في بيئتك باستخدام أدوات اكتشاف الأصول

2. التحقق من الإصدارات الحالية مقابل مستشار أمان VMware — تشمل الإصدارات المتأثرة vCenter 6.5 و 6.7 و 7.0 قبل مستويات التصحيح المحددة

3. تنفيذ تقسيم الشبكة لتقييد وصول vCenter Server للمسؤولين المصرح لهم فقط

4. تعطيل المكونات الإضافية غير الضرورية ومراجعة تكوينات المكونات الإضافية

إرشادات التصحيح:

1. تطبيق تصحيحات أمان VMware على الفور (vCenter 7.0 U1c أو 6.7 U3l أو أحدث)

2. اختبار التصحيحات في بيئة غير الإنتاج أولاً

3. جدولة نوافذ الصيانة لتصحيح الإنتاج

4. التحقق من تطبيق التصحيح باستخدام أدوات التحقق من VMware

عناصر التحكم التعويضية (إذا لم يكن التصحيح الفوري ممكناً):

1. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر أنماط عناوين URL المريبة في طلبات vCenter

2. تقييد الاتصالات الصادرة من vCenter Server إلى الشبكات الداخلية باستخدام قواعد جدار الحماية

3. مراقبة وتسجيل جميع استدعاءات vCenter API وأنشطة المكونات الإضافية

4. تنفيذ التحقق الصارم من الإدخال على جميع نقاط نهاية المكونات الإضافية vCenter

5. استخدام VPN/أجهزة bastion لجميع وصول إدارة vCenter

قواعد الكشف:

1. مراقبة طلبات HTTP من vCenter Server إلى نطاقات IP الداخلية (10.0.0.0/8 و 172.16.0.0/12 و 192.168.0.0/16)

2. تنبيه على طلبات المكونات الإضافية vCenter التي تحتوي على بروتوكولات file:// أو gopher://

3. تتبع محاولات المصادقة الفاشلة للخدمات الداخلية من vCenter

4. مراقبة استعلامات DNS غير العادية من عملية vCenter Server

5. تسجيل والتنبيه على استدعاءات vCenter API مع معاملات URL المريبة

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.5.1.1 — Information Security Policies (vulnerability management) A.8.1.1 — User Endpoint Devices (secure configuration) A.8.2.1 — Privileged Access Rights (vCenter admin access control) A.8.3.1 — Access Restriction (network segmentation) A.12.2.1 — Change Management (patch deployment) A.12.6.1 — Management of Technical Vulnerabilities (SSRF remediation)

🔵 SAMA CSF

ID.AM-2 — Asset Management (inventory vCenter instances) PR.AC-1 — Access Control Policy (restrict vCenter access) PR.AC-3 — Access Enforcement (network segmentation) PR.AC-4 — Access Management (privileged account monitoring) PR.PT-2 — Protective Technology (WAF implementation) DE.CM-8 — Vulnerability Scans (detect SSRF exploitation attempts)

🟡 ISO 27001:2022

A.5.1 — Management Direction (vulnerability policy) A.8.1 — User Access Management (vCenter access control) A.8.3 — User Access Restriction (network controls) A.12.2 — Change Management (patch management) A.12.6 — Management of Technical Vulnerabilities (SSRF mitigation) A.13.1 — Network Security (segmentation and monitoring)

🟣 PCI DSS v4.0

Requirement 2.2 — Configuration Standards (vCenter hardening) Requirement 6.2 — Security Patches (timely patching) Requirement 6.5.1 — Injection Flaws (input validation) Requirement 10.2 — Logging (API activity monitoring) Requirement 11.2 — Vulnerability Scanning (SSRF detection)

🔗 References & Sources 0

No references.

📦 Affected Products / CPE 1 entries

VMware:vCenter Server and Cloud Foundation

📊 CVSS Score

9.0

/ 10.0 — Critical

📋 Quick Facts

Severity Critical

CVSS Score9.0

EPSS90.34%

Exploit ✓ Yes

Patch ✓ Yes

CISA KEV🇺🇸 Yes

KEV Due Date2022-03-21

Published 2022-03-07

Source Feed cisa_kev

🇸🇦 Saudi Risk Score

9.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

kev actively-exploited

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2021-21973

Introduce Yourself

Sign In Required