Hackers have begun scanning for vulnerable VMware vCenter servers

An abstract image of padlocks overlaying a digital background.
(Image credit: Shutterstock)
Audio player loading…

In a not entirely unexpected development, threat actors have started looking for internet-exposed VMware (opens in new tab) vCenter servers whose admins haven’t yet patched them against the critical arbitrary file upload vulnerability that was disclosed yesterday (opens in new tab).

The critical security flaw, tracked as CVE-2021-22005 impacts VMware’s flagship vCenter Server deployments, and could help facilitate remote code execution (RCE) attacks from unauthenticated attackers without requiring user interaction.

“In this era of ransomware (opens in new tab) it is safest to assume that an attacker is already inside your network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible," warned (opens in new tab) Bob Plankers, Technical Marketing Architect at VMware yesterday as he urged vCenter Server admins to apply the patches without delay.

It seems the threat actors were more attentive, and it wasn’t long until the honeypots of threat intelligence company Bad Packets were scanned (opens in new tab) by malicious users looking for unpatched vCenter Servers.

Just a matter of time

Bad Packets later added (opens in new tab) that the malicious scans of its honeypots revealed that they were based on the workaround information provided by VMware for customers who couldn't immediately patch their appliances.

Sharing the development, BleepingComputer points out that this isn’t the first time threat actors have taken advantage of an admin’s laxity in patching their vCenter Servers to scan for and attack them soon after a vulnerability is disclosed.

In fact, there have been a couple of similar incidents this year alone, first in February (based on (based on CVE-2021-21972), and then in May (opens in new tab) (based on CVE-2021-21985).

The only saving grace with CVE-2021-22005, at least for now, is that unlike the previously mentioned vulnerabilities, security researchers haven’t yet caught hold of any exploit code that could capitalize on the bug. 

However, since threat actors are actively scanning for vulnerable servers, chances are they already have a working exploit, or one that’s close to completion. In either case, the activity should be enough to convince admins to drop everything and patch their exposed vCenter Servers immediately.

Via BleepingComputer (opens in new tab)

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.