More than 6,700 VMware Servers Exposed, Susceptible to Takeover Attacks
VMware has urged customers to update their systems as soon as possible.
Over 6,700 VMware vCenter servers have been exposed online and susceptible to a new cyberattack, writes Catalin Cimpanu. With a severity score of 9.8 out of 10, this bug can allow hackers to control unpatched devices and effectively take over companies’ entire networks.
According to threat intelligence firm Bad Packets, scans for VMware vCenter devices are currently underway after a Chinese security researcher published proof-of-concept code on their blog for a vulnerability tracked as CVE-2021-21972.
We’ve detected mass scanning activity targeting vulnerable VMware vCenter servers (https://t.co/t3Gv2ZgTdt).
Query our API for “tags=CVE-2021-21972” for relevant indicators and source IP addresses. #threatintel https://t.co/AcSZ40U5Gp
— Bad Packets (@bad_packets) February 24, 2021
This vulnerability affects VMware vCenter Server, a type of server usually deployed inside large enterprise networks as a centralized management utility. It is important that all organizations that use the VMware vCenter Server immediately restrict network access to those clients—especially if they are not segmented off on a management network—implement the mitigation provided by VMware, and consider performing patching on those systems as soon as possible.
Security firm Positive Technologies discovered last year that hackers could target the HTTPS interface of the vCenter plugin and execute malicious code with elevated privileges on the device without any form of authentication. Due to the vCenter server’s importance within corporate networks, the issue was classified as highly critical and reported to VMware in private, which released official patches on February 23rd, 2021.
Since a large number of companies use vCenter software, Positive Technologies initially intended to hold back the information about the bug and wait for system administrators to test and apply the patch. But despite that, the proof-of-concept code urged companies any to immediately apply the patch and initiate a scan for vulnerable vCenter systems left connected online.
Fanning the flames, the exploit for this bug is also a one-line cURL request, making it easy even for low-skilled threat actors to initiate attacks.
Positive Technologies has published an in-depth technical report on the vulnerability for network defenders to learn how the exploit work and arrange further shields and forensics tools to detect past attacks.