ALERT: Update VMware vCenter Server for critical vulnerability

Tuesday, September 28, 2021

The information below was sent to U-M IT groups on September 28, 2021. It is intended for U-M IT staff who are responsible for systems running VMware vCenter Server.


An arbitrary file upload vulnerability in the Analytics service of vCenter Server could allow for arbitrary code execution. VMware has released fixes/updates, as well as a workaround, to address the vulnerability.


An attacker with network access to port 443 can exploit the vulnerability to remotely execute code on vCenter Server.


VMware confirmed reports that CVE-2021-22005 is being exploited in the wild.

Affected Versions

vCenter Server 6.5, 6.7, and 7.0.

Action Items

The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).

  • Upgrade to a fixed version as quickly as possible after appropriate testing. See VMware Security Advisory VMSA-2021-0020 for patching information.
  • If you are unable to upgrade to a fixed version immediately, apply the temporary workaround provided by VMware. See VMware’s workaround instructions for CVE-2021-22005.

Technical Details

The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. An attacker with non-administrative user access on vCenter Server host may exploit this issue to escalate privileges to Administrator on the vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash). See VMSA-2021-0020: What You Need to Know for more information.

How We Protect U-M

  • ITS has applied the vCenter Server update to MiDesktop and MiServer.
  • ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.