VMware Confirms vCenter Server Vulnerability Exploitation

According to VMware, the recently patched vCenter Server vulnerability, identified as CVE-2021-22005, has been exploited in the wild, and some experts believe it was linked to another patch repaired in the same batch of updates.

VMware is a virtual machine software. It allows everything that runs on that virtual machine to operate in its window by creating a virtual machine that operates precisely like a real computer. VMware enables organizations to execute numerous application and operating system workloads on a single server, allowing for improved resource management. In simple terms, VMware lets you run more applications on fewer physical servers.

VMware had previously informed customers on September 21 that 19 vulnerabilities had been addressed in its vCenter Server software, including CVE-2021-22005, a significant arbitrary file upload issue that might lead to arbitrary code execution on vulnerable systems. The vulnerability has been exploited in the wild, according to sources. VMware has updated its advisory to reflect this.

Threat intelligence firm Bad Packets reported noticing internet scans targeting CVE-2021-22005 the next day, but the activity appeared to be restricted. Initial scans looked to be based on a workaround test that VMware disclosed when the updates were released.

Researchers have been evaluating the patches and have disclosed technical details as well as a proof-of-concept exploit. While the proof-of-concept exploit cannot be exploited in attacks as is, Bad Packets claims it has been used to attack vCenter servers. On September 24, the day the PoC was revealed, Bad Packets observed that activity targeting the vulnerability had increased.

CVE-2021-22005 and CVE-2021-22017, a vCenter Server rhttpproxy bypass vulnerability that, according to VMware, can lead to internal endpoints being accessed, have been seen in attacks, according to threat intelligence firm GreyNoise. With the same wave of updates, both security issues were addressed.

Although there appear to be thousands of vCenter servers accessible to the internet, the vulnerabilities can also be exploited by attackers who have acquired access to the targeted organization’s infrastructure so far.

Censys, an internet scanning service, found over 7,000 vCenter servers accessible from the internet, with about 3,200 of them potentially vulnerable. In addition, Censys has issued a technical blog article for CVE-2021-22005, which includes advice for identifying compromised systems.