VMWare fixes an important privilege escalation vulnerability in vCenter Server (VMSA-2021-0025)

Reading Time: 2 minutes


This week, VMware released an update that addresses a vulnerability in vCenter Server. This vulnerability can be used to compromise vCenter Server installations and the ESXi host they manage.

The vulnerability exists in VMware Cloud Foundation, too.

About vCenter Server

VMware vCenter Server, formerly known as VirtualCenter, is the centralized management tool for the vSphere suite. vCenter Server allows for the management of multiple ESXi hosts and virtual machines (VMs) from different ESXi hosts through a single console or web application.

About the vulnerability

The vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism. VMware identifies the vulnerability as CVE-2021-22048 and VMSA-2021-0025 and has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

A malicious actor with non-administrative access to vCenter Server may exploit this issue to elevate privileges to a higher privileged group.

This vulnerability was privately reported to VMware by Yaron Zinar and Sagi Sheinfeld of Crowdstrike.

How to fix the situation

VMware has investigated and determined that the possibility of exploitation can be removed by applying a workaround. The workaround for CVE-2021-22048 is to switch from Integrated Windows Authentication (IWA) to

Call to action

As many online HOWTO’s explain how to configure vCenter Server Single Sign-on using Integrated Windows Authentication (IWA), most vCenter Server implementations are vulnerable to privilege escalation attacks.

Please switch the Single Sign-on configuration of your vCenter Server(s) to LDAPS or AD FS.

Further reading

vSphere Authentication with vCenter Single Sign-On 
Active Directory over LDAP and OpenLDAP Server Identity Source Settings  
Configure vCenter Server Identity Provider Federation for AD FS

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.