Contents:
The malicious actors are going after the CVE-2021-22005 that is unpatched against a critical arbitrary file upload vulnerability.
This vulnerability that was recently patched could lead to remote code execution, as it impacts all vCenter Server 6.7 and 7.0 deployments with default configurations.
While the exploit code has not yet been made public, threat intelligence firm Bad Packets has detected active scanning activity, with some of its VMware honeypots documenting attackers looking for the serious issue mere hours after VMware published security patches.
CVE-2021-22005 scanning activity detected from 116.48.233.234 (??).
Target:
VMware vCenter servers vulnerable to arbitrary file upload leading to remote code execution (https://t.co/JWfc7rHuUK).#threatintel pic.twitter.com/mDFQtyx8IG— Bad Packets (@bad_packets) September 22, 2021
Threat actors have previously looked for and targeted weak VMware vCenter systems.
After security researchers revealed proof-of-concept (PoC) exploit code for another severe RCE security hole (CVE-2021-21972) affecting all default vCenter installs in February, attackers scoured the internet for unpatched vCenter appliances.
Following the publication of the attack code online in June, scanning for Internet-exposed VMware vCenter systems left susceptible to CVE-2021-21985 RCE exploits commenced.
Possible Incoming Exploitation Attempts
The ongoing scans are coming soon after the warning issued by VMware in which it was highlighted the importance of patching servers against the CVE-2021-22005 bug as soon as possible.
This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server.
In this era of ransomware, it is safest to assume that an attacker is already inside your network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible.
VMware provided a workaround that requires the admins to edit a text file on the virtual appliance and restart the services manually or by using a script in order to remove the exploitation vector.
Immediately, the ramifications of this vulnerability are serious and it is a matter of time – likely minutes after the disclosure – before working exploits are publicly available.
With the threat of ransomware looming nowadays, the safest stance is to assume that an attacker may already have control of a desktop and a user account through the use of techniques like phishing or spearphishing and act accordingly.
This means the attacker may already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence.