CVE-2021-21974 is a heap-based buffer overflow in the OpenSLP service (slpd) as used by VMware ESXi. It affects ESXi 7.0 before ESXi70U1c-17325551, ESXi 6.7 before ESXi670-202102401-SG, and ESXi 6.5 before ESXi650-202102101-SG; VMware Cloud Foundation 4.x and 3.x deployments using affected ESXi are also impacted. The provided technical context states the flaw is in the SLPParseSrvURL function while processing SLP Directory Agent Advertisement traffic. The vulnerable logic allocates a heap buffer sized for the URL, then under malformed input conditions can use strstr/memcpy in a way that copies the URL plus part of the scopes field into that smaller destination buffer, causing a heap overflow. The issue is reachable via the OpenSLP service on port 427, including UDP/427 as noted in the supporting content, and can be exploited by a malicious actor on the same network segment to achieve remote code execution on the ESXi host.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
This repository provides a proof-of-concept (PoC) exploit for CVE-2021-21974, a remote code execution vulnerability in the OpenSLP service of VMware ESXi (7.x and earlier). The main exploit script, '2021-21974-POC.py', is a Python 3 program that connects to the target ESXi host on TCP port 427 (the default OpenSLP port) and sends crafted SLP packets to trigger the vulnerability. Upon successful exploitation, it executes a shell command on the target that creates a named pipe and attempts to establish a reverse shell connection back to the attacker's machine at 192.168.0.194:80 using netcat. The repository also includes a README.md with detailed usage instructions, requirements, and mitigation advice, and a requirements.txt listing Python dependencies. The exploit is intended for educational and research purposes only and is not weaponized; the payload IP address must be changed by the user to receive the reverse shell. The attack vector is network-based, requiring only network access to the vulnerable ESXi host.
This repository contains a proof-of-concept (PoC) exploit for CVE-2021-21974, a remote code execution vulnerability in VMware ESXi 6.7.0 (builds 14320388 and 16316930). The main file, '2021-21974-POC.py', is a Python script that targets the Service Location Protocol (SLP) service on port 427 of a vulnerable ESXi host. The exploit crafts and sends a series of SLP protocol messages to trigger the vulnerability, ultimately allowing the attacker to execute arbitrary shell commands on the target system. By default, the payload establishes a reverse shell from the ESXi host to the attacker's machine at 192.168.0.194:80 using a named pipe at /tmp/backpipe. The script is operational and requires the attacker to specify the target's IP address as a command-line argument. The repository also includes a brief README.md describing the exploit's purpose. No detection scripts or framework integration are present; the code is a standalone exploit PoC.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A VMware ESXi vulnerability used by the threat actor to achieve remote code execution on ESXi hosts during lateral movement in the telecom intrusions.
VMware ESXi の OpenSLP に関する脆弱性で、427/UDP 経由で悪用され、ESXiArgs ランサム攻撃で悪用されていると本文は説明している。
A specific vulnerability explicitly cited as used by Sea Turtle for exploitation to achieve client code execution.
A heap-overflow vulnerability in VMware ESXi OpenSLP service that allows remote code execution.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.