The virtualization control plane keeps getting RCE'd, and ESXiArgs showed why that matters
vCenter and ESXi run your entire virtual estate. A run of pre-auth RCEs in vCenter (CVE-2021-21972, 21975, 21985, 22005) and the ESXi OpenSLP bugs (CVE-2019-5544, CVE-2020-3992) that fed the ESXiArgs ransomware wave show why the management layer is a crown-jewel target.
VMware’s management layer is one of the highest-value targets in any data center, because it controls everything else. vCenter Server manages the whole virtual estate; ESXi is the hypervisor every VM runs on. Compromise either and you’re above all the workloads at once. The catalog reflects how attractive that is: a run of unauthenticated RCEs in vCenter, CVE-2021-21972, CVE-2021-21975, CVE-2021-21985, and CVE-2021-22005, plus the ESXi OpenSLP flaws CVE-2019-5544 and CVE-2020-3992 that powered the ESXiArgs ransomware campaign, which mass-encrypted thousands of internet-exposed ESXi hosts in early 2023.
The cluster
- vCenter pre-auth RCE. CVE-2021-21972 (a file-upload RCE in the vSphere Client’s vROps plugin, March 2021), CVE-2021-21985 (the vSAN plugin RCE), and CVE-2021-22005 (an analytics-service file-upload RCE, September 2021) each let an unauthenticated attacker with access to vCenter’s web interface (port 443) execute code, often as root/SYSTEM. CVE-2021-21975 is an SSRF in the related vRealize/Aria Operations. Public exploits followed each within days, and mass scanning was immediate.
- ESXi OpenSLP RCE. CVE-2019-5544 and CVE-2020-3992 are heap/use-after-free flaws in ESXi’s OpenSLP service (port 427). In February 2023, the ESXiArgs ransomware campaign used OpenSLP exposure to encrypt the virtual machines on thousands of internet-reachable ESXi hosts at once, a mass event that hit hosting providers and enterprises worldwide.
CISA lists these with the ransomware flag. The throughline is that the virtualization control plane is internet-exposed more often than it should be, runs with high privilege, and yields its entire blast radius, every VM it manages, in a single compromise.
Why the management layer is crown-jewel infrastructure
This is the same logic as the ESX Admins auth bypass (CVE-2024-37085): ransomware crews love the hypervisor because encrypting it encrypts everything on it simultaneously, and they love vCenter because it administers the hypervisors. A pre-auth RCE on vCenter is a path to controlling, or destroying, the whole virtual estate. ESXiArgs proved the destruction case at scale, and it specifically exploited the unglamorous OpenSLP service that few admins remembered was even listening.
What to do
- Patch vCenter and ESXi promptly, every advisory. These bugs were all fixed; the victims lagged. Treat VMware management-plane updates as emergency-grade.
- Get vCenter and ESXi management interfaces off the internet. Neither the vCenter web client nor ESXi management/OpenSLP should be reachable from the open internet. Restrict them to a dedicated management network. This single control would have prevented the bulk of the vCenter exploitation and the ESXiArgs campaign.
- Disable OpenSLP on ESXi if you don’t use it. VMware has recommended disabling the SLP service on ESXi for years; it’s the service ESXiArgs abused, and most environments don’t need it. Disable it where unused.
- Treat the virtualization layer as tier-zero. Segment it, enforce strong authentication, monitor it closely, and limit who can reach it. A compromise here is a whole-estate event.
- Keep backups resilient to hypervisor compromise. As with backup infrastructure, keep recovery copies that an attacker who owns ESXi can’t reach, and test restores, so a mass-encryption event like ESXiArgs doesn’t leave you without options.
- Assume compromise on exposed, unpatched hosts and hunt for web shells on vCenter, unexpected processes, and ransomware staging on ESXi.
The reframe is to defend the virtualization control plane like the crown jewel it is, because to attackers it plainly is one. vCenter’s run of pre-auth RCEs and the ESXiArgs mass-encryption of ESXi both reduce to the same exposure: a high-privilege management layer reachable from places it shouldn’t be. Patch it, get it off the internet, disable the services you don’t use, and keep backups it can’t touch. We track the vCenter and ESXi entries with crown-jewel weight, because one bug there is every VM you run.
Sources
Share
Related field notes
-
ESXi handed out admin to a group named 'ESX Admins' and never checked who made it
CVE-2024-37085 is an auth bypass where domain-joined ESXi grants full control to any member of a group called 'ESX Admins,' without verifying the group is legitimate. At least four ransomware crews used it to encrypt hypervisors. ESXi 7.0 isn't getting a patch.
-
Broadcom turned an ESXi zero-day into a patch-access crisis
CVE-2025-22225 was exploited for over a year before Broadcom patched it. Then perpetual license holders couldn't download the fix.
-
Your attack surface isn't just port 443
CVE-2023-46604 is a perfect-10 RCE in Apache ActiveMQ. The exploit isn't a web request; it's a single message to the broker on port 61616, a port most web-focused scanning and firewalling never considers. The broker then fetches a remote XML file and runs whatever's in it.
One email, every weekday morning.
You're in. Check your inbox.