Threat actors are attempting to exploit VMware vCenter CVE-2021-22005 flaw

Immediately after the public release of the exploit code for the VMware vCenter CVE-2021-22005 flaw threat actors started using it.

Researchers warn that immediately after the release of the exploit code for the recently addressed CVE-2021-22005 flaw in VMware vCenter threat actors started using it.

The CVE-2021-22005 issue is a critical arbitrary file upload vulnerability that impacts appliances running default vCenter Server 6.7 and 7.0 deployments.

vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location.

The vulnerability is due to the way it handles session tokens.

“VMware has released patches that address a new critical security advisory, VMSA-2021-0020. This needs your immediate attention if you are using vCenter Server.” reads the advisory published by the virtualization giant. “The VMSA outlines a number of issues that are resolved in this patch release. The most urgent addresses CVE-2021-22005, a file upload vulnerability that can be used to execute commands and software on the vCenter Server Appliance. This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server.”

The threat intelligence firm Bad Packets reported that scanning activity for this vulnerability started immediately after the virtualization giant addressed the flaw.

Researchers from BleepingComputer also reported that threat actors have started to exploit CVE-2021-22005 using code released by security researcher Jang.

VMware confirmed it is aware of threat actors exploiting the flaw in the wild.

“VMware has confirmed reports that CVE-2021-22005 is being exploited in the wild” states the company.

Researchers from search engines for internet-connected devices Censys published an interesting analysis of the vulnerability and provided information about the number of VMware vCenter Server installs exposed online.

Derek Abdine, CTO at Censys, explained that Linux-based deployments are exploitable with code execution, while the exploitation is more difficult on Windows-based hosts. The exploitation requires two unauthenticated web requests.

“Using a simple search query, Censys determined that just over 7,000 services on the public internet identify as VMWare vCenter. 3,264 hosts that are Internet-facing are potentially vulnerable, 436 are patched, and 1,369 are either not applicable (unaffected version) or have the workaround applied.” reads the post published by Censys.

The U.S. Cybersecurity and Infrastructure Seurity Agency (CISA) also published an advisory to warn critical infrastructrure organizations to address this vulnerability.

The security researcher Jang published a quick note for CVE-2021-22005 along with this video PoC that shows how to exploit the vulnerability.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, VMware)

[adrotate banner=”5″]

[adrotate banner=”13″]