PoC Exploit Published for High Severity Vulnerability in VMware vCenter


According to Shodan, more than 6,700 Internet-accessible VMware vCenter servers are vulnerable to a new attack that allows attackers to seize control over non-updated devices and, as a result, over internal networks of organizations.


According to experts of the information security company Bad Packets, they are already recording attempts to mass scan the Internet in search of VMware vCenter installations containing the CVE-2021-21972 vulnerability . This vulnerability affects the vSphere Client (HTML5) plugin and allows remote code execution. On the CVSS v3 scale, the problem received 9.8 points out of the maximum 10. The vulnerability, together with CVE-2021-21973, was discovered by Mikhail Klyuchnikov, a Positive Technologies specialist, and fixed on February 23, 2021.


The scans began on Wednesday, February 24, after a Chinese researcher published a PoC exploit for CVE-2021-21972. By making the PoC exploit publicly available, the researcher not only did not give companies time to deploy patches, but also triggered a wave of scans looking for vulnerable VMware vCenter systems. To make matters worse, the exploit is a one-line cURL request, so even inexperienced attackers can automate their attacks.


Because VMware vCenter servers play a central role in corporate networks, compromising them could allow attackers to gain access to any system connected to them. Attackers (known as "network brokers") often hack into such devices and then sell access to them in underground forums to ransomware operators. In addition, cybercriminals such as Darkside and RansomExx started attacking VMware systems last year, demonstrating how effective targeting corporate networks based on virtual machines can be.

Previous Post Next Post