VMware vCenter Server - Arbitrary File Upload (CVE-2021-22005)

CVE-2021-22005, a vulnerability in VMware vCenter Server and VMware Cloud Foundation allows attackers with network access to port 443 to exploit an arbitrary file upload flaw in the Analytics service. By uploading specially crafted files, malicious actors can achieve remote code execution on the vCenter Server, potentially leading to full system compromise and further attacks within the virtual infrastructure.

CrowdSec has been tracking this vulnerability and its exploits since 12th of June 2025.

Insights from the CrowdSec network reveal that the attackers trying to exploit CVE-2021-22005 are composed of a fairly even mix of opportunistic and targeted actors. Some attackers employ preliminary reconnaissance, while others use indiscriminate scanning. CrowdSec data also reveals a clear uptick in attacks involving CVE-2021-22005 over the past week. Activity is above the usual baseline, suggesting growing attention from attackers. This may reflect rising awareness, recent exploit releases, or expanded targeting efforts.

Attackers exploit this vulnerability by sending POST requests to /analytics/telemetry/ph/api/hyper/send, allowing them to upload arbitrary files and potentially execute code on vulnerable VMware vCenter Server instances.