VMware View Planner - RCE (CVE-2021-21978)

CVE-2021-21978 is a critical remote code execution vulnerability due to improper input validation and missing authorization in the logupload web application. Attackers with network access can exploit this flaw to upload and execute arbitrary files, potentially gaining full control over the affected container. This vulnerability could be leveraged for further lateral movement, data theft, or disruption of services within the targeted environment.

CrowdSec has been tracking this vulnerability and its exploits since 10th of July 2025.

CrowdSec network observations suggest that most exploitation of CVE-2021-21978 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. CrowdSec data also reveals a clear uptick in attacks involving CVE-2021-21978 over the past week. Activity is above the usual baseline, suggesting growing attention from attackers. This may reflect rising awareness, recent exploit releases, or expanded targeting efforts.

Attackers exploit the /logupload endpoint of VMware View Planner by sending a POST request with a crafted logMetaData parameter containing path traversal sequences, enabling arbitrary file upload and potential remote code execution.