CVE-2021-21980

HIGH EXPLOITED IN THE WILD

vSphere Web Client - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-21980 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 6 public exploits from researchers including Osyanina, pratikjojode, gui2000guix-ui.

AI-analyzed exploit summary The repository claims to be a scanner for CVE-2021-21980 but lacks any actual code or technical details. It instructs users to download and run an executable without providing source code or explanation of the vulnerability mechanics.

Description

The vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file read vulnerability. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information.

Exploits (6)

nomisec SUSPICIOUS 6 stars
by Osyanina · poc
https://github.com/Osyanina/westone-CVE-2021-21980-scanner

The repository claims to be a scanner for CVE-2021-21980 but lacks any actual code or technical details. It instructs users to download and run an executable without providing source code or explanation of the vulnerability mechanics.

Classification
Suspicious 90%
Attack Type
Info Leak
Complexity
Theoretical
Reliability
Theoretical
Target: VMware vCenter (versions before 7.0.2.00100)
No auth needed
Prerequisites: Network access to vulnerable VMware vCenter instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by pratikjojode · infoleak
https://github.com/pratikjojode/vcenter-cve-2021-21980-lab

This repository contains a functional exploit PoC for CVE-2021-21980, a path traversal vulnerability in VMware vCenter Server. It includes a Dockerized vulnerable test environment and a Nuclei template for detection.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: VMware vCenter Server 7.0, 6.7, 6.5 (unpatched)
No auth needed
Prerequisites: Network access to vulnerable vCenter Server
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by gui2000guix-ui · infoleak
https://github.com/gui2000guix-ui/cve-2021-21980-mock-server

This repository contains a functional mock server and Nuclei template to test CVE-2021-21980, a path traversal vulnerability in VMware vSphere Web Client. The Flask-based server simulates the vulnerable `/eam/vib` endpoint, allowing safe local testing of the exploit.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: VMware vSphere Web Client (mock)
No auth needed
Prerequisites: Docker · Nuclei (optional for scanning)
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SCANNER
by Osyanina · poc
https://github.com/Osyanina/westone-CVE-2022-1388-scanner

This repository contains a scanner for CVE-2022-1388, an authentication bypass vulnerability in F5 BIG-IP iControl REST. The provided instructions are minimal and reference a mismatched CVE (2021-21980) in the clone URL, but the README explicitly mentions CVE-2022-1388.

Classification
Scanner 80%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Theoretical
Target: F5 BIG-IP iControl REST
No auth needed
Prerequisites: network access to target · iControl REST interface exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Patch, Vendor Advisory x_refsource_misc
https://www.vmware.com/security/advisories/VMSA-2021-0027.html

Scores

CVSS v3 7.5
EPSS 0.0460
EPSS Percentile 90.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2022-05-31
InTheWild.io 2022-05-31
Status published
Products (3)
vmware/cloud_foundation 3.0
vmware/vcenter_server 6.5 (19 CPE variants)
vmware/vcenter_server 6.7 (16 CPE variants)
Published Nov 24, 2021
Tracked Since Feb 18, 2026