April Vuln of the Month: CVE-2021-21972

Apr 14, 2021
Jerry Gamblin
Director of Security Research at Kenna Security

Share with Your Network

Yesterday was Patch Tuesday, which makes today Exploit Wednesday—the day we publish our latest Vuln of the Month blog. In this month’s blog we spotlight CVE-2021-21972, a named CVE  that may not already be on your radar screen, but probably should be.

This month’s vuln: CVE-2021-21972

April’s Vuln of the Month is CVE-2021-21972, which addresses a remote code execution vulnerability in a plugin of the vSphere HTML5 Client for vCenter Server.  As of this writing, CVE-2021-21972 has a Kenna Risk Score of 92, making it the highest-risk vulnerability covered in this series so far. 

 Our research shows that CVE-2021-24094 meets many of the criteria we look for to be widely exploited, including:

  • Access complexity: Low
  • Potential attack surface: >400K
  • Exploitable remotely: Yes
  • Authentication/privilege requirements: None
  • Potential impact on availability: Complete
  • Exploit code published: Yes
  • Active exploits observed: No

As the above graph illustrates, only 0.62% of observed vulnerabilities pose a larger risk than CVE-2021-21972.

As the above graph illustrates, only 0.62% of observed vulnerabilities pose a larger risk than CVE-2021-21972.

Why CVE-2021-21972 matters

While we have previously concentrated on vulnerabilities with wider installs (which usually means Windows CVEs), VSphere, VCenter Server, and VMware Cloud Foundation are essential components of virtual environments in more than 400,000 enterprises. And all of these are impacted by CVE-2021-21972.

Promptly remediating CVE-2021-21972 is advisable because a malicious actor with network access to port 443 can exploit this CVE with no credentials. PT Security, who discovered the vulnerability in November and informed VSphere maker VMware, describes the experience of testing an exploit of this vulnerability by uploading a .jsp script to the server, which then would allow attackers to remotely, and without authentication, execute arbitrary OS commands with unrestricted privileges. 

Like any responsible vendor, VMware published patches and remediation instructions (along with various workarounds) on its own security advisory site. This is noteworthy because our own research shows remediation velocity is largely influenced by the timely actions of vendors in issuing patches for new CVEs. (PT Security reports that VMWare was on the case within a day of their reporting the vuln.)

Bottom line on CVE-2021-21972

The high risk score associated with this vuln suggests that this vulnerability should be patched on every impacted VMware product.

Mitigation status

On Feb. 24, 2021, VMware published patches and links to workarounds for CVE-2021-21972 in a VMware Security Advisory.

Watch this space for future Vuln of the Month spotlights. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our extensive vulnerability intelligence powered by machine learning. 


Read the Latest Content

Trending Vulns

Are We Patching CVE-2020-0688 (the Microsoft Exchange RCE) Fast Enough?

Understand how remediation teams were doing against cve-2020-0688. Get tips now on how to deal with CVE 2020 0688.
Trending Vulns

Introducing Kenna’s Vuln of the Month Series

Our research shows that CVE-2021-1647 meets the criteria we look for to be exploited and that it has the potential for widespread impact.
Trending Vulns

March Vuln of the Month: CVE-2021-24094

Kenna is closely tracking CVE-2021-24094, a Remote Code Execution vuln in the default TCP/IP stack on all supported Microsoft OS.

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.