Active Exploitation of Critical VMWare VCenter Software Vulnerability

Cyber actors are actively exploiting a critical remote code execution vulnerability identified in VMware vCenter Server and VMware Cloud Foundation to get complete command of unpatched systems. VMWare announced vulnerability CVE-2021-21985 in late May and released a patch to resolve the vulnerability on May 25, 2021.

The Cybersecurity and Infrastructure Security Agency (CISA) lately released an advisory cautioning all end users of VMware vCenter Server and VMware Cloud Foundation about the vulnerability being an interesting target for cyber attackers and the high probability of exploitation. There is already a reputable proof-of-concept exploit for the vulnerability available in the public domain.

Thousands of vulnerable vCenter servers that can be accessed online are prone to attack. Several security researchers are conducting mass scanning for VMware vSphere hosts prone to RCE attacks and have noted the scanning for vulnerability of honeypots set up with unsecured versions of VMware vCenter Server.

Currently, the Department of Health and Human Services’ Office for Civil Rights published a cyber alert repeating the great importance of applying the patches to the vulnerability, conveying that CISA discovered a number of agencies that haven’t employed the patch yet and are prone to cyber attack.

VMWare explained that a malicious actor having network access to port 443 could take advantage of this problem to execute commands without restriction on the root operating system hosting the vCenter Server.

Security researcher Kevin Beaumont mentioned about the infection of his honeypot with a web shell following the expolitation of the vulnerability. “vCenter, which is a virtualization management software program can be hacked to control the virtualization layer (e.g., VMware ESXi)- allowing access prior to the OS layer (as well as security controls). This is a critical vulnerability, therefore businesses need to patch or limit the vCenter servier access to authorized administrators only.

In case it’s not possible to implement the patches right away, there are steps that can be done to work around the problem and lower the possibility of exploitation. These workarounds ought to be carried out without delay.