Addressing VMSA-2021-0014

Addressing VMSA-2021-0014


Response To VMSA-2021-0014

ESXi SFCB improper authentication vulnerability (CVE-2021-21994)

ESXi OpenSLP denial-of-service vulnerability (CVE-2021-21995)


To protect against these vulnerabilities, update your ESXi hosts to the versions below

The 7.0 and 6.7 versions which protect against this vulnerability were released earlier this year and you may have already upgraded to these versions.

If you are running these versions (or later), then you are already protected

If you are running an earlier version, then please proceed to upgrade to the versions detailed below


ESXi Version

Fixed Version

Build Number

Release Date

Release Notes

Additional Information


ESXi 7.0 U2


March 9th 2021

ESXi 7.0U2

See Important note below


ESXi 6.7 P05



March 18th 2021

ESXi 6.7 P05



ESX6.5 EP24


July 13th 2021

ESXi6.5 EP24

IMPORTANT: VMware removed the ESXi 7.0 Update 2 offline and online depots from all sites on March 12, 2021 due to an upgrade-impacting issue. Build 17867351 for ESXi 7.0 Update 2a replaces build 17630552 for ESXi 7.0 Update 2. All Components and Bulletins in the ESXi 7.0 Update 2a build are updated and replace the Components and Bulletins from the ESXi 7.0 Update 2 build. 

To upgrade to a fixed version with vShere Lifecycle Manager or with an offline depot, use ESXi 7.0U2a  (Build 17867351)

Note: You might have to perform "Sync Updates" in LifeCycle Manager (7.x) or "Download Now" in Update Manager (6.x) to update the Patch metadata if the 6.5 latest patch EP24 (18071574) is not showing in Updates (screenshot below).



If you are not able to update your ESXi hosts at this time, the workarounds detailed in KB 1025757and KB 76372 can be applied to all your ESXi hosts

(Please see this article relating to possible VMware PowerCli automation of these workarounds)

If you have any further questions, please post them here and we will ensure that they are answered for you


Important Information For Workaround for CVE-2021-21994

Disable sfcb service

SFCB stands for “Small footprint cim broker” and is used to provide hardware health information for the ESXi host in the vSphere client and the ESXi UI

This service is disabled by default.

However, 3rd party custom ISOs can include CIM vibs, which result in the service been enabled.

Manual installation of a CIM agent will also enable the service.

This means that the status of the service depends on the installation method used.

Disabling SFCB will prevent vCenter from reporting Storage sensor information (see screenshots below).

However, the individual vendor monitoring and management systems will continue to function – the only loss of functionality is reporting via the vSphere client and the  ESXi host client




To check if the service is running or not, you can use the vSphere Client


Select the ESXi Host – Configure – Services


The SFCB service is reported as CIM Server (listed as sfcbd-watchdog in older versions)





The above is taken from a host installed via the default VMware ISO.

The service is at the default setting of Stopped” and “Start and stop manually”

If your host reports the above, then there is no need for further action



The screenshot below shows the view from a host where the service is running.

As such, the host is exposed to this vulnerability (Unless you have upgraded to one of the versions detailed above)

Follow the steps in KB 1025757 to stop the service (No reboot required)



The status of the service can also be checked by running the “/etc/init.d/sfcbd-watchdog status” command

Login to the host via an SSH session (putty) and execute the command above




Important Information For Workaround for CVE-2021-21995

ESXi OpenSLP denial-of-service vulnerability (CVE-2021-21995)

This is the 4th advisory that relates to this service

VMSA-2021-0014 (1. CVE-2021-21994 & CVE-2021-21995)

VMSA-2021-0002 (CVE-2021-21974)
VMSA-2020-0023 (CVE-2020-3992)
VMSA-2019-0022 (CVE-2019-5544)

To protect the ESXi host from the latest vulnerability, you must update to the version documented above.

The workaround is the same as for the previous advisories

As such you may already have disabled this service to mitigate these issues.


Depending on your product version, the slpd service may be listed in the vCenter client


The screenshot below shows the service running

This needs to be stopped to protect against this issue

Refer to KB 76372 for details (No reboot required to disable the service)

When slpd is disabled, CIM clients which uses SLP to find CIM servers over port #427 will not be able to locate the service.


If the service is not listed above, you will need to check the status via an SSH session (putty)

Login and run the command “/etc/init.d/slpd status”



Version history
Revision #:
6 of 6
Last update:
‎07-13-2021 03:34 PM
Updated by: