CISA: Critical VMware vulnerability, patch immediately if found


Critical Infrastructure Colleagues and Partners,


CISA is aware of the likelihood that cyber threat actors are attempting to exploit CVE-2021-21985, a remote code execution vulnerability in VMware vCenter Server and VMware Cloud Foundation.  This vulnerability was discussed on the May 27 CISA weekly SOC call.


Although patches were made available on May 25, 2021, unpatched systems remain an attractive target and attackers can exploit this vulnerability to take control of an unpatched system.   VMware vCenter Server and VMware Cloud Foundation are part of the underlying infrastructure for most agencies with on premises network management. Based off CISA visibility, several agencies are showing unpatched instances of these products.


CISA encourages agencies, state and local governments, critical infrastructure entities, and other private sector organizations to review VMware’s VMSA-21-0010blogpost, and FAQ for more information about the vulnerability and apply the necessary updates as soon as possible, even if out-of-cycle work is required. If your organization cannot immediately apply the update, then apply the workarounds in the interim.



To report an incident or indicators of potential compromise, visit For general questions and inquiries, contact




Steve Lyddon

Protective Security Advisor, Region 5, Illinois

Cybersecurity and Infrastructure Security Agency

Cell:  217-299-3954 |