Attackers are actively scanning for two critical remote command execution (RCE) vulnerabilities in VMWare vCenter servers.
Download the Complete Alert
Attackers are actively scanning for two critical remote command execution (RCE) vulnerabilities in VMWare vCenter servers. The first vulnerability, tracked as CVE-2021-21972, allows remote malicious actors unrestricted access to the host operating system. The vulnerability has a critical score of 9.8 and was disclosed in February of this year. Functioning proof of concepts and mass scanning activity followed within a few days after the disclosure. Recently, the vulnerability has been found weaponized by cryptomining Python botnet "Necro."
The second RCE vulnerability, tracked as CVE-2021-21985, also allows remote actors unrestricted access to the host operating system and also has a critical score of 9.8. The vulnerability was disclosed on May 25th, and by June 2nd, a blog post surfaced with technical details of the exploit. The details for weaponization of CVE-2021-21985 have only been available for three days at the time of writing and malicious activity is ramping up quickly.
vSphere servers are a hot commodity for malicious actors as they reside inside enterprise networks or virtual private clouds and provide reasonably large amounts of CPU and memory resources. From cryptojacking and ransomware to leveraging as malicious infrastructure or as a jump host for lateral movement and espionage/extortion, vulnerable and exposed servers are easily located and will be abused by malicious actors.
CVE-2021-21972
On February 23, 2021, VMWare disclosed a RCE vulnerability through the vSphere HTML5 client in a vCenter Server plugin. The severity of the issue was evaluated to be critical with a CVSSv3 score of 9.8. A malicious actor with network access to the server could exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts the vCenter Server. The privately reported vulnerability was disclosed simultaneously with a patch that fixed the issue in advisory VMSA-2021-0002.
On February 24, 2021, Mikhail Klyuchnikov of Positive Technologies published detailed results of his research from the autumn of 2020 that led to the discovery of the vulnerability. Positive Technologies originally planned to delay the release of the technical details to give organizations time to patch their vCenter servers, but after two functioning PoC exploits were already released and attackers started scanning for unpatched servers, they published earlier.