CVE-2021-21975

CVE Database · CVE-2021-21975

CVE-2021-21975

· HIGHAnalyzed

CVSS v3.1

7.5

EPSS

78.44%

Published

Mar 31, 2021

Modified

Oct 30, 2025

CISA Known Exploited Vulnerability

Added: 2022-01-18 · Due: 2022-02-01

Apply updates per vendor instructions.

Public PoC / Exploit (10)

All weaponized →

NucleiNuclei detection template TrickestTrickest PoC index GitHub PoCrabidwh0re/REALITY_SMASHER★37 GitHub PoCGuayoyoCyber/CVE-2021-21975★27 GitHub PoCAl1ex/CVE-2021-21975★13 GitHub PoCHenry4E36/VMWare-vRealize-SSRF★12 GitHub PoCmurataydemir/CVE-2021-21975★4 GitHub PoCVulnmachines/VMWare-CVE-2021-21975★3 GitHub PoCdorkerdevil/CVE-2021-21975★2 GitHub PoCDarkFunct/exp_hub★0

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weaknesses (CWE)

CWE-918CWE-918

Affected Products (27)

vmware · cloud_foundationvulnerable

References (5)

http://packetstormsecurity.com/files/162349/VMware-vRealize-Operations-Manager-Server-Side-Request-Forgery-Code-Execution.html

ExploitThird Party AdvisoryVDB Entry

https://www.vmware.com/security/advisories/VMSA-2021-0004.html

Vendor Advisory

http://packetstormsecurity.com/files/162349/VMware-vRealize-Operations-Manager-Server-Side-Request-Forgery-Code-Execution.html

ExploitThird Party AdvisoryVDB Entry

https://www.vmware.com/security/advisories/VMSA-2021-0004.html

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21975

KEV Catalog EPSS Scores Vendors All CVEs