CVE-2021-21978

CRITICAL EXPLOITED NUCLEI

VMware View Planner 4.0-4.5 - Unauthenticated Remote Code Execution via Logupload Arbitrary File Upload

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-21978 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 5 public exploits from researchers including skytina, GreyOrder, me1ons, including a Metasploit module exploits/linux/http/vmware_view_planner_4_6_uploadlog_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2021-21978, which targets a path traversal vulnerability in VMware View Planner's log upload functionality. The exploit allows unauthenticated remote code execution by overwriting the `log_upload_wsgi.py` file with malicious content.

Description

VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability. Improper input validation and lack of authorization leading to arbitrary file upload in logupload web application. An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted file leading to remote code execution within the logupload container.

Exploits (5)

nomisec WORKING POC 25 stars
by skytina · poc
https://github.com/skytina/CVE-2021-21978

This repository contains a functional exploit for CVE-2021-21978, which targets a path traversal vulnerability in VMware View Planner's log upload functionality. The exploit allows unauthenticated remote code execution by overwriting the `log_upload_wsgi.py` file with malicious content.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: VMware View Planner (versions affected by CVE-2021-21978)
No auth needed
Prerequisites: Network access to the target VMware View Planner instance · Python environment with `requests` library
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 23 stars
by GreyOrder · poc
https://github.com/GreyOrder/CVE-2021-21978

This repository contains a functional Go-based exploit for CVE-2021-21978, which allows unauthenticated arbitrary file upload and remote code execution in VMware View Planner Harness 4.X. The exploit crafts a malicious Python script, uploads it via a directory traversal vulnerability, and triggers command execution within a Docker container.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: VMware View Planner Harness 4.X
No auth needed
Prerequisites: Network access to the target system · Target running VMware View Planner Harness 4.X
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 5 stars
by me1ons · poc
https://github.com/me1ons/CVE-2021-21978

This repository contains a functional exploit for CVE-2021-21978, a remote code execution vulnerability in VMware View Planner. The exploit leverages a path traversal flaw to upload a malicious Python script to a writable directory, which then executes a reverse shell to an attacker-controlled VPS.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: VMware View Planner
No auth needed
Prerequisites: Network access to the target VMware View Planner instance · Attacker-controlled VPS to receive the reverse shell
devstral-2 · analyzed Feb 18, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/vvgoodman/poclist

The repository contains functional exploit code for multiple vulnerabilities, including CVE-2016-3088 (ActiveMQ arbitrary file write) and CVE-2020-17518 (Apache Flink file upload and directory traversal). The Python scripts demonstrate the vulnerabilities by crafting HTTP requests to exploit the respective flaws.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache ActiveMQ (5.x ~ 5.14.0), Apache Flink (1.11.0, 1.11.1, 1.11.2)
Auth required
Prerequisites: Network access to target · Valid credentials for authentication
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Mikhail Klyuchnikov, wvu, Grant Willcox · rubypocpython
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_view_planner_4_6_uploadlog_rce.rb

This Metasploit module exploits an unauthenticated log file upload vulnerability in VMware View Planner 4.6 prior to Security Patch 1, allowing remote code execution as the apache user within the appacheServer Docker container. It uploads a malicious log_upload_wsgi.py file, triggers execution via an OPTIONS request, and restores the original file post-exploitation.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: VMware View Planner 4.6.0
No auth needed
Prerequisites: Network access to the target's HTTPS service (port 443) · Target running unpatched VMware View Planner 4.6
devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

VMware View Planner <4.6 SP1- Remote Code Execution
CRITICALby dwisiswant0

References (2)

Core 2
Core References

Scores

CVSS v3 9.8
EPSS 0.9895
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2023-12-03
CWE
CWE-862 CWE-20
Status published
Products (2)
vmware/view_planner 4.6
vmware/view_planner 4.0 - 4.6
Published Mar 03, 2021
Tracked Since Feb 18, 2026