CVE-2021-21972 VSphere Exploitation

 1title: CVE-2021-21972 VSphere Exploitation
 2id: 179ed852-0f9b-4009-93a7-68475910fd86
 3status: test
 4description: Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972
 5references:
 6    - https://www.vmware.com/security/advisories/VMSA-2021-0002.html
 7    - https://f5.pm/go-59627.html
 8    - https://swarm.ptsecurity.com/unauth-rce-vmware
 9author: Bhabesh Raj
10date: 2021/02/24
11modified: 2023/01/02
12tags:
13    - attack.initial_access
14    - attack.t1190
15    - cve.2021.21972
16    - detection.emerging_threats
17logsource:
18    category: webserver
19detection:
20    selection:
21        cs-method: 'POST'
22        cs-uri-query: '/ui/vropspluginui/rest/services/uploadova'
23    condition: selection
24falsepositives:
25    - OVA uploads to your VSphere appliance
26level: high

References

• VMSA-2021-0002

  

  VMware ESXi and vCenter Server updates address multiple security vulnerabilities (CVE-2021-21972, CVE-2021-21973, CVE-2021-21974)

  
  Read More

• CVE-2021-21972 vCenter 6.5-7.0 RCE 漏洞分析

  

  CVE-2021-21972 vCenter 6.5-7.0 RCE 漏洞分析

  
  Read More

• Unauthorized RCE in VMware vCenter

  

  Since the PoC for the VMware vCenter RCE (CVE-2021-21972) is now readily available, we’re publishing our article covering all of the technical details. In fall of 2020, I discovered couple vulnerabilities in the vSphere Client component of VMware vCenter. These vulnerabilities allowed non-authorized clients to execute arbitrary commands and send requests on behalf of the […]

  
  Read More

Related rules

• CVE-2021-21978 Exploitation Attempt
• CVE-2021-33766 Exchange ProxyToken Exploitation
• CVE-2023-46747 Exploitation Activity - Proxy
• CVE-2023-46747 Exploitation Activity - Webserver
• Confluence Exploitation CVE-2019-3398