Scans are currently being conducted to identify VMware vCenter servers that have not been patched, following the publication of Proof-of-Concept (PoC) exploits for a vulnerability tracked as CVE-2021-21972. The vulnerability has been assigned a CVSS v3 base score of 9.8 out of 10 and a patch was released on February 23, 2021.
The vulnerability is in the vSphere Client (HTML5), which is a plugin of VMware vCenter that is used as a centralized management utility for managing VMware products on local workstations. The vulnerability can be exploited remotely via the HTTPS interface of the plugin, which allows execution of malicious code with elevated privileges without having to authenticate. If the flaw is exploited an attacker could gain access to any system connected to the central server. The vSphere Client is often used by IT teams at large enterprises, which makes the vulnerability particularly attractive to Initial Access Brokers and ransomware gangs.
The vulnerability was identified in 2020 by Positive Technologies and was reported to VMware. Shodan shows around 6,700 VMware servers are connected to the Internet and, according to BinaryEdge, there are 14,000 exposed servers. If the patch is not applied, they will be vulnerable to attack.
Due to the number of affected servers, Positive Technologies held back on announcing the vulnerability to give IT teams time to apply the patch and secure their servers; however, on February 24, 2021, a Chinese security researcher with the moniker Ricter Z published PoC exploit code for the vulnerability. Positive Technologies has now published its findings about the vulnerability after at least two PoC exploits were made public. Exploiting the flaw is straightforward. A malicious actor with access to port 443 can exploit the vulnerability using a single line cURL request.
VMware recommends applying the patch immediately to prevent exploitation of the flaw, although workaround instructions have been provided if it is not possible to immediately patch vulnerable servers. Hackers are currently conducting scans to identify vulnerable servers to conduct attacks before the vulnerability is patched. According to Bad Packets, scans for vulnerable servers were detected within a day of the patch for the vulnerability being released.