CVE-2021-21974

Vulnerability Profile Updated 3 months ago

Download STIX

Preview STIX

CVE-2021-21974 is a heap-overflow vulnerability discovered in VMware's ESXi OpenSLP service. This flaw allows attackers to execute arbitrary code and take control of the affected system, posing a significant threat to organizations that utilize VMware's ESXi for their virtual infrastructure management. The vulnerability was exploited during a global ransomware attack on ESXi servers, which utilized this vulnerability along with another from 2020 (CVE-2020-3992) to deploy a novel ransomware strain named ESXiArgs. The attack was first flagged by the French Computer Emergency Response Team (CERT-FR) on February 3rd and has since compromised over 3,200 servers in countries including Canada, France, Finland, Germany, and the US. The primary method of compromise was an exploit for the two-year-old remote code execution (RCE) security vulnerability (CVE-2021-21974), affecting the hypervisor's Open Service Location Protocol (OpenSLP) service. The ESXiArgs ransomware variant was spotted exploiting this patched vulnerability, demonstrating the importance of keeping systems up-to-date. Despite the patch for the CVE-2021-21974 vulnerability being available for two years, its exploitation reveals the continuous challenges faced by organizations in maintaining secure IT environments. Several agencies, including the US Cybersecurity and Infrastructure Security Agency (CISA) and France’s CERT-FR, have confirmed that the ESXiArgs ransomware campaign exploited this 2021 vulnerability. Given the popularity and wide use of VMware products, it is recommended that customers upgrade to the latest supported releases of vSphere components to address known vulnerabilities.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Esxi

Ransomware

Vmware

Esxiargs

Vulnerability

Vmware’s

Exploit

exploited

RCE (Remote ...

Remote Code ...

Exploits

Crowdstrike

Hypervisor

Malware

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
CVE-2020-3992	Unspecified	1	None
CVE-2019-5544	Unspecified	1	CVE-2019-5544 is a significant vulnerability involving a flaw in the software design or implementation of VMWare's OpenSLP service. This vulnerability, known as a heap buffer overflow, can potentially allow an attacker to execute arbitrary code on the server and compromise the system. OpenSLP (Servi

Source Document References

Information about the CVE-2021-21974 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
Unit42	6 months ago	Ransomware Retrospective 2024: Unit 42 Leak Site Analysis
CERT-EU	7 months ago	12 Top Hacks, Data Breaches, Missteps of 2023 \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	a year ago	Cybersecurity threatscape: Q1 2023
CERT-EU	a year ago	VMware patches critical bugs in network analytics tool
BankInfoSecurity	a year ago	Massive Ransomware Campaign Targets VMware ESXi Servers
CERT-EU	a year ago	Ransomware scum attack old VMWare ESXi vulnerability
Securityaffairs	a year ago	Italian ACN warns ransomware campaign targeting VMware ESXi
CSO Online	a year ago	Massive ransomware attack targets VMware ESXi servers worldwide
DARKReading	a year ago	Global Ransomware Attack on VMware EXSi Hypervisors Continues to Spread
CERT-EU	a year ago	Massive ransomware campaign targets unpatched VMware servers via old vulnerability
CERT-EU	a year ago	Hackers exploiting two-year-old VMware flaw to launch large-scale ransomware campaign
Securityaffairs	a year ago	Italy, France and Singapore Warn of a Spike in ESXI Ransomware
Checkpoint	a year ago	6th February – Threat Intelligence Report - Check Point Research
Malwarebytes	a year ago	Two year old vulnerability used in ransomware attack against VMware ESXi
Naked Security	a year ago	VMWare user? Worried about “ESXi ransomware”? Check your patches now!
DARKReading	a year ago	Ongoing VMware ESXi Ransomware Attack Highlights Inherent Virtualization Risks
InfoSecurity-magazine	a year ago	CISA Releases Recovery Tool for VMware Ransomware Victims
CERT-EU	a year ago	CISA releases tool to recover encrypted VMware ESXi servers
CERT-EU	a year ago	VMware ESXi ransomware: CISA releases a rescue script
CERT-EU	a year ago	Cosa ci può insegnare l’attacco ai server ESXi in merito ai ransomware \| Il corriere della sicurezza