CVE-2021-21974

HIGH EXPLOITED IN THE WILD RANSOMWARE

VMware ESXi Remote Code Execution via OpenSLP Heap Overflow

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-21974 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io), including in ransomware campaigns. EIP tracks 7 public exploits from researchers including Shadow0ps, CYBERTHREATANALYSIS, n2x4.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2021-21974, a vulnerability in the Service Location Protocol (SLP) that allows remote code execution. The exploit leverages crafted SLP packets to trigger a heap-based buffer overflow, leading to arbitrary command execution.

Description

OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.

Exploits (7)

nomisec WORKING POC 186 stars
by Shadow0ps · remote
https://github.com/Shadow0ps/CVE-2021-21974

This repository contains a functional exploit for CVE-2021-21974, a vulnerability in the Service Location Protocol (SLP) that allows remote code execution. The exploit leverages crafted SLP packets to trigger a heap-based buffer overflow, leading to arbitrary command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ESXi (VMware) versions affected by CVE-2021-21974
No auth needed
Prerequisites: Network access to the target system · SLP service running on the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SCANNER 2 stars
by CYBERTHREATANALYSIS · poc
https://github.com/CYBERTHREATANALYSIS/ESXi-Ransomware-Scanner-mi

This repository contains a Python-based scanner that checks ESXi servers for signs of ransomware compromise by fetching HTML content and searching for specific ransom note strings. It supports single IP, CSV, and JSON input formats but does not exploit any vulnerability.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: VMware ESXi (version not specified)
No auth needed
Prerequisites: Network access to target ESXi servers · Open HTTP/HTTPS port on target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SCANNER 2 stars
by n2x4 · poc
https://github.com/n2x4/Feb2023-CVE-2021-21974-OSINT

This repository contains scripts for scraping and analyzing ransomware-related data from Shodan and Censys, specifically targeting systems affected by CVE-2021-21974. It includes tools to gather IP addresses, wallet addresses, and transaction details but does not include functional exploit code.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: VMware ESXi (CVE-2021-21974)
No auth needed
Prerequisites: Shodan API key · Censys API key · List of target IPs or wallet addresses
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SCANNER
by abirasecurity · poc
https://github.com/abirasecurity/CVE-2021-21974_vuln_dectection

This repository contains a Python-based vulnerability detection tool for CVE-2021-21974, which targets VMware ESXi's SLP service. It tests for potential vulnerabilities by sending crafted SLP packets and analyzing responses without exploiting the vulnerability.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: VMware ESXi (SLP service)
No auth needed
Prerequisites: Network access to the target SLP service (port 427)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by mercylessghost · remote
https://github.com/mercylessghost/CVE-2021-21974

The repository contains a functional Python-based exploit for CVE-2021-21974, targeting the OpenSLP service in VMware ESXi. The exploit leverages a heap overflow vulnerability to achieve remote code execution (RCE) by sending crafted SLP packets.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: VMware ESXi (7.x and earlier)
No auth needed
Prerequisites: Network access to the target ESXi host · OpenSLP service running on the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/OUB3LL4/vmware_esxi_exp

This repository contains a functional exploit for CVE-2021-21974, targeting a heap overflow vulnerability in VMware ESXi's OpenSLP service. The exploit demonstrates remote code execution (RCE) by leveraging heap manipulation and memory corruption techniques to achieve arbitrary command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: VMware ESXi (OpenSLP service)
No auth needed
Prerequisites: Network access to the vulnerable OpenSLP service (port 427) · Heap defragmentation and precise memory manipulation
devstral-2 · analyzed Feb 25, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry x_refsource_misc
https://www.zerodayinitiative.com/advisories/ZDI-21-250/
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/162957/VMware-ESXi-OpenSLP-Heap-Overflow.html

Scores

CVSS v3 8.8
EPSS 0.4506
EPSS Percentile 98.6%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

VulnCheck KEV 2023-02-03
InTheWild.io 2023-02-03
Ransomware Use Confirmed
CWE
CWE-787
Status published
Products (6)
None/VMware Cloud Foundation 4.x before 4.2 and 3.x
None/VMware ESXi 6.5 before ESXi650-202102101-SG
None/VMware ESXi 6.7 before ESXi670-202102401-SG
None/VMware ESXi 7.0 before ESXi70U1c-17325551
vmware/cloud_foundation 3.0 - 3.10.1.2
vmware/esxi 6.5 (45 CPE variants)
Published Feb 24, 2021
Tracked Since Feb 18, 2026