Critical RCE bug in VMware vCenter Server under active attack


Cyber criminals are scanning the internet for vulnerable VMware vCenter servers that are unpatched against a critical remote code execution flaw that was addressed last month end.

The ongoing activity was detected by Bad Packets which was confirmed by security researcher Kevin Beaumont. 

Troy Mursch, chief research officer at Bad Packets tweeted that mass scanning activity was detected from checking for VMware vSphere hosts vulnerable to remote code execution.

A proof-of-concept (PoC) RCE exploit code targeting the VMware vCenter bug was published.

The bug tracked as CVE-2021-21985 (CVSS score 9.8), is a consequence of a lack of input validation in the Virtual SAN (vSAN) Health Check plug-in, which could be abused by a threat actor to execute commands with unrestricted privileges on the underlying operating system that hosts the vCenter Server.

Even though VMware had rectified the flaw on May 25, The users are strongly recommended to apply the emergency change immediately. 

The malicious actors have opportunistically mass scanned the internet for vulnerable VMware vCenter servers before also. A similar remote code execution vulnerability (CVE-2021-21972) that was patched by VMware in February was targeted in order to exploit and take control of unpatched systems.

At least 14,858 vCenter servers were found reachable over the internet at the time, according to Bad Packets and Binary Edge.

Priyanka R
Cyber Security Enthusiast, Security Blogger, Technical Editor, Author at Cyber Safe News

    Necro Python bot revamped with new VMWare, server exploits

    Previous article

    Latvian woman charged for creating malware for trickbot

    Next article

    You may also like


    Leave a reply

    Your email address will not be published. Required fields are marked *