Tracked as CVE-2021-22005, the vulnerability exists in the analytics service of vCenter Server, and can be exploited to allow attackers to remotely execute malicious code on unpatched vCenter Servers.
Several security experts had warned of mass scanning activity within a day of the vulnerability’s disclosure, and the threat has become real with the discovery of a working exploit.
- These are the best ransomware protection tools
- Protect your devices with these best antivirus software
- We've put together a list of the best endpoint protection software
“On September 24, 2021, VMware confirmed reports that CVE-2021-22005 is being exploited in the wild. Security researchers are also reporting mass scanning for vulnerable vCenter Servers and publicly available exploit code. Due to the availability of exploit code, CISA expects widespread exploitation of this vulnerability,” shared the US Cybersecurity and Infrastructure Security Agency (CISA) in an advisory.
Free for all
Even about a week after VMware putting out the patch for the vulnerability, a report by security vendor Censys shows that there are about 1500 unpatched internet-facing vCenter servers that could be exploited.
Censys’ CTO Derek Abdine told ZDNet that the security vendor had proven that remote execution of the exploit is fairly straightforward.
Commenting on the significance of the vulnerability, John Bambenek, principal threat hunter at Netenrich, told ZDNet that remote code execution (RCE) as root on vCenter servers is pretty significant.
“Almost every organization operates virtual machines and if a threat actor has root access, they could ransom every machine in that environment or steal the data on those virtual machines with relative ease,” opined Bambenek.
- Here’s our roundup of the best patch management tools