CVE-2021-21975 VMware CVE debrief

Who should care

Organizations running VMware vRealize Operations Manager API should prioritize this issue, especially security, infrastructure, and operations teams responsible for patching internet-facing or broadly reachable management services. Because CISA lists it in KEV and notes ransomware campaign use, exposure should be treated as high priority.

Technical summary

The vulnerability is identified as a server-side request forgery in the vRealize Operations Manager API. SSRF flaws can allow an attacker to induce the server to make unintended network requests. Based on the supplied sources, the confirmed defensive takeaway is that this CVE is known exploited and should be remediated according to VMware’s update guidance.

Defensive priority

High. This CVE is on CISA’s Known Exploited Vulnerabilities catalog, and CISA notes known ransomware campaign use. The supplied source also gives a remediation due date of 2022-02-01, indicating urgent patching priority.

Recommended defensive actions

• Apply VMware updates per vendor instructions.
• Check whether any vRealize Operations Manager API instances are deployed and verify their patch status.
• Prioritize exposed, production, and management-plane deployments for remediation.
• Monitor for abnormal outbound or internal request patterns from the affected service where logging is available.
• Use the CISA KEV listing and NVD record as confirmation points during incident and patch tracking.

Evidence notes

Source corpus confirms the CVE title and description as a VMware SSRF in vRealize Operations Manager API. CISA KEV metadata supplied with the record states: vendorProject VMware, product vRealize Operations Manager API, dateAdded 2022-01-18, dueDate 2022-02-01, knownRansomwareCampaignUse Known, and requiredAction Apply updates per vendor instructions. Official reference links supplied include the CVE record, NVD detail page, CISA KEV catalog, and the source-item JSON feed.

Official resources