Pierluigi Paganini
June 04, 2021
Threat actors are actively scanning the Internet for VMware vCenter servers affected by a critical remote code execution (RCE) vulnerability tracked as CVE-2021-21985.
The CVE-2021-21985 flaw is caused by the lack of input validation in the Virtual SAN (vSAN) Health Check plug-in, which is enabled by default in the vCenter Server. The vulnerability has received a CVSS score of 9.8 and impacts vCenter Server 6.5, 6.7, and 7.0.
“The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.” reads the advisory published by the virtualization giant. “A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.”
According to the virtualization giant, a remote attacker can exploit the issue to gain access to a vCenter installs exposed online, whether a customer uses vSAN or not.
The scanning activity was first reported by the threat intelligence firm Bad Packets.
The availability of a proof-of-concept (PoC) exploit code for the CVE-2021-21985 RCE make it easy for thereat actors to target vulnerable installs.
At the time of this writing, thousands of vulnerable vCenter servers are still exposed online.
VMware customers have to patch their systems immediately to prevent threat actors from exploiting vulnerabilities affecting the solutions of the virtualization giant.
Multiple ransomware gangs, including Darkside and RansomExx, exploited vulnerabilities in VMWare ESXi to encrypt virtual hard disks.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Epsilon Red ransomware)
[adrotate banner=”5″]
[adrotate banner=”13″]
Hacking / October 07, 2025
