Blog Viewer

Manual Mitigation for CVE-2021-21972

By Patrick Mccrudden(csp) posted 03-02-2021 10:28


A recent vulnerability found in VMware vCenter server, assigned CVE-2021-21972. The vulnerability allows non-authorized clients to execute arbitrary commands and send requests on behalf of the targeted server via file upload.


Vulnerability Description:
You can read more about it in blogpost published by PT SWARM in the following link:


Cloud WAF customers and On-Prem customers that have “SecureSphere Emergency Feed” (THR feeds) are already protected OOTB.


Below are manual mitigation steps to address VMware vCenter Exploitation (for On-Prem customers):


  1. Create a new manual dictionary or use an existing one
  2. Create a new signatures (inside the dictionary from the previous step) with the following definition:


  • Signature name:
  • CVE-2021-21972: VMWare Vcenter - File upload
  • Signature pattern:

part="/ui/vropspluginui/rest/services/uploadova", part="uploadFile", rgxp="uploadFile\s?\="

  • Protocols:
  • Search Signature in:

Urls And Parameters


       3. Create a new “HTTP Protocol Signatures” policy that uses the dictionary from step 1 and apply it