Learn more.
Contact Us
Talk to an Expert
Request a demo

April Vuln of the Month: CVE-2021-21972

Apr 14, 2021
Jerry Gamblin
Director of Security Research at Kenna Security

Share with Your Network

Yesterday was Patch Tuesday, which makes today Exploit Wednesday—the day we publish our latest Vuln of the Month blog. This is the third in our new blog series spotlighting a named CVE that may not already be on your radar screen, but probably should be.

This month’s vuln: CVE-2021-21972

April’s Vuln of the Month is CVE-2021-21972, which addresses a remote code execution vulnerability in a plugin of the vSphere HTML5 Client for vCenter Server.  As of this writing, CVE-2021-21972 has a Kenna Risk Score of 92, making it the highest-risk vulnerability covered in this series so far. 

 Our research shows that CVE-2021-24094 meets many of the criteria we look for to be widely exploited, including:

  • Access complexity: Low
  • Potential attack surface: >400K
  • Exploitable remotely: Yes
  • Authentication/privilege requirements: None
  • Potential impact on availability: Complete
  • Exploit code published: Yes
  • Active exploits observed: No

As the above graph illustrates, only 0.62% of observed vulnerabilities pose a larger risk than CVE-2021-21972.

As the above graph illustrates, only 0.62% of observed vulnerabilities pose a larger risk than CVE-2021-21972.

Why CVE-2021-21972 matters

While we have previously concentrated on vulnerabilities with wider installs (which usually means Windows CVEs), VSphere, VCenter Server, and VMware Cloud Foundation are essential components of virtual environments in more than 400,000 enterprises. And all of these are impacted by CVE-2021-21972.

Promptly remediating CVE-2021-21972 is advisable because a malicious actor with network access to port 443 can exploit this CVE with no credentials. PT Security, who discovered the vulnerability in November and informed VSphere maker VMware, describes the experience of testing an exploit of this vulnerability by uploading a .jsp script to the server, which then would allow attackers to remotely, and without authentication, execute arbitrary OS commands with unrestricted privileges. 

Like any responsible vendor, VMware published patches and remediation instructions (along with various workarounds) on its own security advisory site. This is noteworthy because our own research shows remediation velocity is largely influenced by the timely actions of vendors in issuing patches for new CVEs. (PT Security reports that VMWare was on the case within a day of their reporting the vuln.)

Bottom line on CVE-2021-21972

The high risk score associated with this vuln suggests that this vulnerability should be patched on every impacted VMware product.

Mitigation status

On Feb. 24, 2021, VMware published patches and links to workarounds for CVE-2021-21972 in a VMware Security Advisory.

Watch this space for future Vuln of the Month spotlights. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our extensive vulnerability intelligence powered by machine learning. 


Share with Your Network

Read the Latest Content

Trending Vulns

Are We Patching CVE-2020-0688 (the Microsoft Exchange RCE) Fast Enough?

Last month, we analyzed progress versus the widely publicized ECC encryption vulnerability CVE-2020-0661 that was released in the January Microsoft Patch Tuesday announcement. This month, we look at the patching behavior of another vulnerability, CVE-2020-0688 from the February batch. From the analysis of last month, it was clear that security teams were making remediation of…

Trending Vulns

Introducing Kenna’s Vuln of the Month Series

Yesterday was Patch Tuesday, so we’re calling today Exploit Wednesday. And with that, today we launch a new monthly blog series from Kenna Security. We call it Vuln of the Month. It’s an opportunity for those of us on the data science research team to spotlight a named CVE that may not already be on…

Trending Vulns

March Vuln of the Month: CVE-2021-24094

It’s Exploit Wednesday, and that means we’re publishing the second entry in our new Vuln of the Month blog series. If you missed last month’s debut, this series spotlights a named CVE that may not already be on your radar screen, but probably should be. This month’s vuln: CVE-2021-24094 Kenna Security’s research team is closely…


© 2021 Kenna Security. All Rights Reserved. Privacy Policy.