Critical VMWare VCenter Software Vulnerability Under Attack

A critical remote code execution vulnerability in VMware vCenter Server and VMware Cloud Foundation is being actively exploited by cyber actors to take full control of unpatched systems. The flaw, tracked as CVE-2021-21985, was announced by VMWare in late May and a patch was released to correct the flaw on May 25, 2021.

The Cybersecurity and Infrastructure Security Agency (CISA) recently issued an alert warning all users of VMware vCenter Server and VMware Cloud Foundation that the vulnerability is an attractive target for attackers and there is a high risk of exploitation. A reliable proof-of-concept exploit for the vulnerability is now in the public domain.

There are thousands of vulnerable vCenter servers accessible over the Internet that are vulnerable to attack. Mass scanning for VMware vSphere hosts vulnerable to RCE attacks are currently being conducted and several security researchers have reported the honeypots they set up with vulnerable versions of VMware vCenter Server have been scanned for the vulnerability.

Today, the Department of Health and Human Services’ Office for Civil Rights issued a cyber alert reiterating the importance of patching the vulnerability, explaining CISA identified several agencies that have not yet applied the patch and are vulnerable to attack.

According to VMWare, “A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.”

Security researcher Kevin Beaumont said his honeypot was infected with a web shell after the vulnerability was exploited. “vCenter is a virtualization management software,” he said. “If you hack it, you control the virtualization layer (e.g., VMware ESXi)—which allows access before the OS layer (and security controls). This is a serious vulnerability, so organizations should patch or restrict access to the vCenter server to authorized administrators.”

If it is not possible to apply the patches immediately, there are workarounds available that can reduce the risk of exploitation. These workarounds should be implemented immediately.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.