VMware ESXi
VMware ESXi is VMware's bare-metal Type 1 hypervisor, deployed widely in enterprise data centers and private cloud infrastructure. Because ESXi hosts sit below all guest workloads, vulnerabilities in the hypervisor itself can affect every virtual machine on the host. ESXi is classified as an OS in the NVD CPE schema rather than an application.
Querying VMware ESXi
vmware_esxi7.0.0, 7.0.3, 8.0.0curl "https://api.attestd.io/v1/check?product=vmware_esxi&version=7.0.0" \
-H "Authorization: Bearer $ATTESTD_KEY"ESXi 7.0.0 (the initial release of the 7.0 branch) is affected by multiple CVEs including CVE-2021-21974, which was actively exploited by the ESXiArgs ransomware campaign in early 2023. The base release predates the Update patches that resolved these issues.
{
"product": "vmware_esxi",
"version": "7.0.0",
"supported": true,
"risk_state": "critical",
"risk_factors": [
"active_exploitation",
"remote_code_execution",
"no_authentication_required",
"internet_exposed_service",
"patch_available"
],
"actively_exploited": true,
"remote_exploitable": true,
"authentication_required": false,
"patch_available": true,
"fixed_version": "7.0.1",
"confidence": 0.85,
"cve_ids": ["CVE-2021-21974", "CVE-2021-21985", "CVE-2021-22005"],
"last_updated": "2026-02-23T18:21:30Z"
}Update notation
VMware ESXi uses "Update" notation in its official release names (e.g. ESXi 7.0 Update 3). NVD version ranges use dotted integer notation where the update number becomes the third component. Attestd normalizes Update notation before comparison:
| VMware name | NVD / API version |
|---|---|
| ESXi 7.0 (base) | 7.0.0 |
| ESXi 7.0 Update 1 | 7.0.1 |
| ESXi 7.0 Update 2 | 7.0.2 |
| ESXi 7.0 Update 3 | 7.0.3 |
| ESXi 8.0 (base) | 8.0.0 |
The build number visible in the vSphere UI is more granular than the Update version. For range matching, the three-part Update version (7.0.3) is sufficient and matches NVD range boundaries.
CVE history
ESXi vulnerabilities frequently involve services that are exposed on management networks: the OpenSLP service, the vSphere Client backend, and the SLPD daemon. Several CVEs in the 6.x and 7.0 base releases were widely exploited by ransomware operators targeting unpatched ESXi hosts exposed on the internet.
| CVE | Description | Affects | CVSS |
|---|---|---|---|
CVE-2021-21974KEV | Heap overflow in the OpenSLP service. An unauthenticated attacker on the management network can send a crafted SLP request to trigger remote code execution on the ESXi host. Exploited extensively by the ESXiArgs ransomware campaign in February 2023. | 6.5, 6.7, 7.0 base | 8.8 |
CVE-2021-21985 | Remote code execution in the Virtual SAN Health Check plugin of the vSphere Client. No authentication required. The plugin is enabled by default. Allows RCE with privileges of the vCenter Server process. | 6.5, 6.7, 7.0 | 9.8 |
CVE-2021-22005KEV | Arbitrary file write via the Analytics service in ESXi 7.0 Update 2. An unauthenticated attacker with network access to the host can write files to arbitrary locations and achieve remote code execution. | 7.0 U2 | 9.8 |
CVE-2022-21123 | Shared buffer data read via hardware side channel (MMIO stale data vulnerability). Affects the ESXi host and potentially allows information disclosure from guest VMs. Part of the Processor MMIO Stale Data Advisories set. | 6.5, 6.7, 7.0 | 6.1 |
KEV = CISA Known Exploited Vulnerabilities catalog. Active exploitation confirmed.