Hackers have begun scanning for vulnerable VMware vCenter servers

There’s no exploit code yet, but it’s just a matter of time

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

In a not entirely unexpected development, threat actors have started looking for internet-exposedVMwarevCenter servers whose admins haven’t yet patched them against the critical arbitrary file upload vulnerability that wasdisclosed yesterday.

The critical security flaw, tracked as CVE-2021-22005 impacts VMware’s flagship vCenter Server deployments, and could help facilitate remote code execution (RCE) attacks from unauthenticated attackers without requiring user interaction.

“In this era ofransomwareit is safest to assume that an attacker is already inside your network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible,“warnedBob Plankers, Technical Marketing Architect at VMware yesterday as he urged vCenter Server admins to apply the patches without delay.

It seems the threat actors were more attentive, and it wasn’t long until the honeypots of threat intelligence company Bad Packets werescannedby malicious users looking for unpatched vCenter Servers.

Just a matter of time

Bad Packetslater addedthat the malicious scans of its honeypots revealed that they were based on the workaround information provided by VMware for customers who couldn’t immediately patch their appliances.

Sharing the development,BleepingComputerpoints out that this isn’t the first time threat actors have taken advantage of an admin’s laxity in patching their vCenter Servers to scan for and attack them soon after a vulnerability is disclosed.

In fact, there have been a couple of similar incidents this year alone, first in February (based on (based on CVE-2021-21972), and thenin May(based on CVE-2021-21985).

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The only saving grace with CVE-2021-22005, at least for now, is that unlike the previously mentioned vulnerabilities, security researchers haven’t yet caught hold of any exploit code that could capitalize on the bug.

However, since threat actors are actively scanning for vulnerable servers, chances are they already have a working exploit, or one that’s close to completion. In either case, the activity should be enough to convince admins to drop everything and patch their exposed vCenter Servers immediately.

ViaBleepingComputer

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics