Critical VMware vCenter Server Vulnerability Under Active Exploitation

By Richard Anderson

The critical VMware vCenter Server vulnerability CVE-2021-21985 is being actively exploited in the wild. There have been several successful exploits of the 9.8/10 severity vulnerability and at least one reliable exploit for the flaw is now in the public domain.

VMware issued an advisory about the flaw in the last week in May and urged users to patch promptly to avoid exploitation. The flaw is now being exploited by at least one threat actor to install a web shell on unpatched machines.

The flaw affects vCenter Servers that with the default configuration, which can be reached on an Internet exposed port. An unauthenticated attacker can remotely exploit the flaw to achieve code execution. One exploit in the public domain has been confirmed as reliable and can be tweaked and used malicious purposes.

On Friday last week, security researcher Kevin Beaumont said one of his honeypots that was set up with an unpatched version of VCenter was scanned by remote systems and the CVE-2021-21985 vulnerability was exploited to deliver a web shell. The web shell would allow a remote attacker to have the same control over the machine as a local administrator. Beaumont was one of several researchers to report their honeypots were being scanned for vulnerable vCenter servers.

VMWare issued a patch to correct the critical vulnerability in VMware vCenter Server and VMware Cloud Foundation on May 25, 2021. The U.S. Cybersecurity and Infrastructure Security Agency issued an advisory on June 4 warning that there was a high likelihood of cyber threat actors attempting to exploit the flaw, explaining that unpatched machines are an attractive target and the flaw would allow then to take full control of vulnerable machines. Once access to a machine has been gained, attackers could easily move laterally to other parts of the network, gain persistence, and deliver malware or ransomware.

Any admin who has yet to patch against CVE-2021-21985 should do so immediately. It is highly likely that the volume of attacks will increase.

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news