BOOK THIS SPACE FOR AD
ARTICLE ADThe US Cybersecurity and Infrastructure Security Agency has warned companies running VMware vCenter Server and VMware Cloud Foundation software to update as soon as possible because attackers are scanning the internet for vulnerable servers.
VMware released a patch for two critical remote code execution flaws on May 25. The two bugs, tracked as CVE-2021-21985 and CVE-2021-21986, have a severity rating of 9.8 out of 10. The bugs affect VMware vCenter Server (vCenter Server) and VMware Cloud Foundation (Cloud Foundation).
CISA has now warned that it is "aware of the likelihood that cyber threat actors are attempting to exploit CVE-2021-21985". It said organisations should apply the necessary updates as soon as possible, even if out-of-cycle work is required.
As ZDNet reported last month, CVE-2021-21985 affects the vSphere HTML5 client and allows an attacker with network access to port 443 to exploit it to execute commands freely on the underlying operating system that hosts vCenter Server and take control of it.
"Although patches were made on May 25, 2021, unpatched systems remain an attractive target and attackers can exploit this vulnerability to take control of an unpatched system," CISA warned.
Via Ars Technica, Troy Mursch, a security researcher for Bad Packets, has been tracking mass scanning for the bugs on internet-exposed VMware vCenter servers.
On Saturday, Mursch reported he had seen exploit activity using a proof of concept exploit targeting VMware vCenter servers harboring CVE-2021-21985. Bad Packets runs a honeypot that contains servers with the bug.
CVE-2021-21985 exploit activity detected from 119.28.15.199 (🇭🇰) based on this PoC (https://t.co/qhBbHdOaK4) targeting our VMware vCenter honeypot.
Query our API for "source_ip_address=119.28.15.199" for full payload and other relevant indicators. #threatintel
VMware urged customers to patch affected servers immediately. The virtualization software firm warned organisations that have placed their vCenter Servers on networks that are exposed to the internet and thus may not have firewall protection — often the last line of defence — that they should therefore audit these systems for compromise.
"In this era of ransomware it is safest to assume that an attacker is already inside the network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible," it previously said.
CISA recommended administrators review VMware's VMSA-2021-010 advisory, its blogpost, and its FAQ about the issue.