vulnerability

VMware vCenter: CVE-2021-21986: Authentication mechanism issue in vCenter Server Plug-ins

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)	May 25, 2021	May 27, 2021	Jan 20, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published

May 25, 2021

Added

May 27, 2021

Modified

Jan 20, 2026

Description

The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. A malicious actor with network access to port 443 on vCenter Server may perform actions allowed by the impacted plug-ins without authentication.

Solution

vmware-vcenter-server-upgrade-latest

References

CVE-2021-21986
https://attackerkb.com/topics/CVE-2021-21986
http://packetstormsecurity.com/files/162812/VMware-Security-Advisory-2021-0010.html
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/23602
CWE-306

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report