Mass scanning detected after RCE exploits surface online

Attackers are actively exploiting a critical vulnerability in VMware vCenter Server that exposes vulnerable enterprise networks to the risk of infiltration.

The arbitrary file upload flaw (CVE-2021-22005) – one of a raft of vCenter vulnerabilities addressed by software updates released on September 21 – can be abused regardless of configuration settings, says VMware.


BACKGROUND VMware security warning: Multiple vulnerabilities in vCenter Server could allow remote network access


The situation was serious enough to prompt the US Cybersecurity and Infrastructure Security Agency (CISA) to warn on Friday (September 24) that “widespread exploitation” was likely after RCE exploits surfaced online.

On the same day, threat intelligence firm Bad Packets reported that it had indeed detected “mass scanning activity” against its VMware honeypots. VMware updated its security advisory on the same day to acknowledge that in-the-wild exploitation had been detected.

CISA has urged organizations with vulnerable installations to update their systems as soon as possible and apply a temporary workaround provided by VMware in the meantime.

Aaron Portnoy, principal scientist at attack surface management specialists Randori, has set out detection methods and indicators of compromise to help defenders determine whether they’ve been infiltrated via CVE-2021-22005.

Post-intrusion threat

As reported by The Daily Swig last week, VMware released patches for 19 CVEs in total, with high severity local privilege escalation (CVE-2021-21991), reverse proxy bypass (CVE-2021-22006), and unauthenticated API endpoint (CVE-2021-22011) vulnerabilities the most severe.

These lower impact flaws – ranging from CVSS 4.3 to 8.8 – could be leveraged to damaging effect once attackers get inside networks, VMware has warned.


RECOMMENDED Opera browser patches My Flow remote code execution vulnerability


“Attackers often compromise a desktop and/or user account on the corporate network, and then patiently and quietly use that to break into other systems over long periods of time,” the Palo Alto-based company said in a blog post.

“They steal confidential data, intellectual property, and at the end install ransomware and extort payments from their victims.”

The critical flaw, which has a CVSS of 9.8, affects vCenter Server versions 6.7 and 7.0 and Cloud Foundation versions 3.x and 4.x. Other flaws also affect vCenter Server 6.5.

Prime target

Infosec expert Kevin Beaumont praised VMware’s handling of the vulnerabilities last week, tweeting that “VMware do an incredible job nowadays of communicating high severity security vulnerabilities”.

However, VMware’s popularity among enterprises, many of which can be slow to update their systems, nevertheless makes its server virtualization technologies compelling targets for attackers.


Read more of the latest enterprise security news


In June, for instance, The Daily Swig reported that around 4,000 vCenter Server instances were still vulnerable to a pair of critical security flaws in vSphere Client (HTML5) three weeks after their disclosure.

And in February, it emerged that more than 6,000 vCenter installations were potentially at risk as attackers probed systems for the presence of another critical RCE vulnerability.

The Daily Swig has invited VMware to comment further, and we will update the article should they do so.


RECOMMENDED APT focus: ‘Noisy’ Russian hacking crews are among the world’s most sophisticated