Exploits imminent for critical VMware vCenter CVE-2021-22005 bug

Exploit code that could be used to achieve remote code execution on VMware vCenter Server vulnerable to CVE-2021-22005 is currently spreading online.

Publicly disclosed earlier this week when VMware also addressed it, the bug comes with a critical severity rating of 9.8 and a strong recommendation to install the available patch.

Technical notes available

The vulnerability affects machines running vCenter Server versions 6.5, 6.7, and 7.0. Given the severity of the issue, VMware urges administrators to act immediately and assume that an adversary is already on the network, ready to take advantage.

Earlier today, Vietnamese security researcher Jang published technical notes for CVE-2021-22005 based on the workaround and the patch from VMware.

The details are enough for experienced developers to create a working exploit that allows remote code execution with root privileges, the researcher told BleepingComputer.

At the end of the post, Jang also provides a GitHub link to his PoC version for CVE-2021-22005. It is not a fully functional variant, though, intentionally so to prevent less skilled threat actors from using it in attacks directly.

The researcher told us that as it is now, the code can do nothing because its completion status is around 90% and it is missing the important part.

An adversary would have to put in some effort to turn it into a full-fledged exploit but they should be able to create an exploit that is 100% reliable.

Penetration tester and Synack Envoy Nicolas Krassas tested the code and confirmed that it needs some modifications to work properly. But it does prove that CVE-2021-22005 can be used to create a backdoor on a vulnerable system.

Attacks expected soon

Jang built a fully functional exploit and tested it in a controlled environment. He said that it works just fine, obtaining remote code execution before detection can catch it.

Threat actors have shown interest in this vulnerability shortly after its disclosure. Just hours after a patch became available, threat intelligence company Bad Packets saw scanning activity targeting CVE-2021-22005.

Currently, there are thousands of vCenter Server instances exposed to the public internet but not all are vulnerable to CVE-2021-22005. However, attackers can find plenty of targets using a search engine for internet-connected devices.

Provided the severity of the flaw, the interest in vulnerable vCenter Server deployments, and the availability of partial PoC exploit code, it is reasonable to assume that attacks leveraging CVE-2021-22005 are likely to start soon.

Jang said that an average-skilled adversary should need about an hour to build a working, reliable version of his exploit. He believes that actors will soon start using the flaw and strongly advises administrators to patch their systems.

The researcher also published a video to demonstrate how an attacker could exploit the vulnerability: