CVE DATABASE / CVE-2021-21975
CVE-2021-21975
VMware Server Side Request Forgery in vRealize Operations Manager API
CVSS 7.5 · HIGH
⚠ CISA KEV — ACTIVELY EXPLOITED
RANSOMWARE
On the CISA KEV catalog
Confirmed exploited in the wild. Added 2022-01-18.
Federal remediation due 2022-02-01.
Required action: Apply updates per vendor instructions.
Summary
Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.
CVSS 3.1 breakdown
| Base score | 7.5 (HIGH) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity | NONE |
| Availability | NONE |
Weakness type (CWE)
Affected products
Vmware cloud foundationVmware vrealize operations managerVmware vrealize suite lifecycle manager
Check this CVE live
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- http://packetstormsecurity.com/files/162349/VMware-vRealize-Operations-Manager-Server-Side-Request-Forgery-Code-Execution.html
- https://www.vmware.com/security/advisories/VMSA-2021-0004.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21975
Data: NIST NVD + CISA KEV. NVD last modified 2025-10-30. Always verify against the vendor advisory before acting.