VMware View Planner - RCE (CVE-2021-21978)

CVE-2021-21978 is a critical remote code execution vulnerability due to improper input validation and missing authorization in the logupload web application. Attackers with network access can exploit this flaw to upload and execute arbitrary files, potentially gaining full control over the affected container. This vulnerability could be leveraged for further lateral movement, data theft, or disruption of services within the targeted environment.

CrowdSec has been tracking this vulnerability and its exploits since 10th of July 2025.

CrowdSec network observations suggest that most exploitation of CVE-2021-21978 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. In addition, according to the CrowdSec network, attack volume against CVE-2021-21978 has dipped slightly compared to the previous week. Although still commonly targeted, the decline suggests a cooling-off period. Long-term relevance remains, but attention is waning.

Attackers exploit the /logupload endpoint of VMware View Planner by sending a POST request with a crafted logMetaData parameter containing path traversal sequences, enabling arbitrary file upload and potential remote code execution.