Threat actors are attempting to exploit VMware vCenter CVE-2021-22005 flaw

Immediately after the public release of the exploit code for the VMware vCenter CVE-2021-22005 flaw threat actors started using it.

Researchers warn that immediately after the release of the exploit code for the recently addressed CVE-2021-22005 flaw in VMware vCenter threat actors started using it.

The CVE-2021-22005 issue is a critical arbitrary file upload vulnerability that impacts appliances running default vCenter Server 6.7 and 7.0 deployments.

vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location.

The vulnerability is due to the way it handles session tokens.

“VMware has released patches that address a new critical security advisory, VMSA-2021-0020. This needs your immediate attention if you are using vCenter Server.” reads the advisory published by the virtualization giant. “The VMSA outlines a number of issues that are resolved in this patch release. The most urgent addresses CVE-2021-22005, a file upload vulnerability that can be used to execute commands and software on the vCenter Server Appliance. This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server.”

The threat intelligence firm Bad Packets reported that scanning activity for this vulnerability started immediately after the virtualization giant addressed the flaw.

CVE-2021-22005 scanning activity detected from ().

VMware vCenter servers vulnerable to arbitrary file upload leading to remote code execution (

— Bad Packets (@bad_packets) September 22, 2021

Researchers from BleepingComputer also reported that threat actors have started to exploit CVE-2021-22005 using code released by security researcher Jang.

VMware confirmed it is aware of threat actors exploiting the flaw in the wild.

“VMware has confirmed reports that CVE-2021-22005 is being exploited in the wild” states the company.

Researchers from search engines for internet-connected devices Censys published an interesting analysis of the vulnerability and provided information about the number of VMware vCenter Server installs exposed online.

Derek Abdine, CTO at Censys, explained that Linux-based deployments are exploitable with code execution, while the exploitation is more difficult on Windows-based hosts. The exploitation requires two unauthenticated web requests.

“Using a simple search query, Censys determined that just over 7,000 services on the public internet identify as VMWare vCenter. 3,264 hosts that are Internet-facing are potentially vulnerable, 436 are patched, and 1,369 are either not applicable (unaffected version) or have the workaround applied.” reads the post published by Censys.

The U.S. Cybersecurity and Infrastructure Seurity Agency (CISA) also published an advisory to warn critical infrastructrure organizations to address this vulnerability.

The security researcher Jang published a quick note for CVE-2021-22005 along with this video PoC that shows how to exploit the vulnerability.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, VMware)

The post Threat actors are attempting to exploit VMware vCenter CVE-2021-22005 flaw appeared first on Security Affairs.

Recent Posts
Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt