CVE-2021-22015

HIGH

VMware Cloud Foundation 3.0-5.0 and vCenter Server - Local Privilege Escalation via Improper File Permissions

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-22015. PoCs published by PenteraIO, h00die, Yuval Lazar, including Metasploit module exploits/linux/local/vcenter_java_wrapper_vmon_priv_esc.

AI-analyzed exploit summary The repository contains a bash script that scans for the presence of CVE-2021-22015 by checking if the 'cis' group has write access to a specific file and if any user in that group has shell access. It does not exploit the vulnerability but detects its presence.

Description

The vCenter Server contains multiple local privilege escalation vulnerabilities due to improper permissions of files and directories. An authenticated local user with non-administrative privilege may exploit these issues to elevate their privileges to root on vCenter Server Appliance.

Exploits (2)

nomisec SCANNER 6 stars

by PenteraIO · poc

https://github.com/PenteraIO/vScalation-CVE-2021-22015

View Code ZIP pw:eip

The repository contains a bash script that scans for the presence of CVE-2021-22015 by checking if the 'cis' group has write access to a specific file and if any user in that group has shell access. It does not exploit the vulnerability but detects its presence.

Classification

Scanner 100%

Attack Type

Lpe

Complexity

Trivial

Reliability

Reliable

Target: VMWare vCenter Server

Auth required

Prerequisites: Credentials for a Linux (PhotonOS) vCenter host · Shell access

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC MANUAL

by h00die, Yuval Lazar · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/vcenter_java_wrapper_vmon_priv_esc.rb

View Code ZIP pw:eip

This Metasploit module exploits a privilege escalation vulnerability in VMware vCenter by modifying the /usr/lib/vmware-vmon/java-wrapper-vmon file, which is writable by the 'cis' group and executes as root upon service restart or host reboot. It backs up the original file, injects a payload, and attempts to restart the vmware-vmon service to trigger execution.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: VMware vCenter 6.5, 6.7, 7.0 (before specific updates)

Auth required

Prerequisites: Access to a user in the 'cis' group · Write access to /usr/lib/vmware-vmon/java-wrapper-vmon · Ability to restart the vmware-vmon service or reboot the host

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.001 - Setuid and Setgid

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/170116/VMware-vCenter-vScalation-Privilege-Escalation.html

Patch, Vendor Advisory

https://www.vmware.com/security/advisories/VMSA-2021-0020.html

Scores

CVSS v3 7.8

EPSS 0.0181

EPSS Percentile 75.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-552

Status published

Products (4)

vmware/cloud_foundation 3.0 - 5.0

vmware/vcenter_server 6.5

vmware/vcenter_server 6.7

vmware/vcenter_server 7.0

Published Sep 23, 2021

Tracked Since Feb 18, 2026