More than 6,700 VMware servers exposed online and vulnerable to major new bug
Image: VMware, ZDNet
More than 6,700 VMware vCenter servers are currently exposed online and vulnerable to a new attack that can allow hackers to take over unpatched devices and effectively take over companies’ entire networks.
Scans for VMware vCenter devices are currently underway, according to threat intelligence firm Bad Packets.
The scans have started earlier today after a Chinese security researcher published proof-of-concept code on their blog for a vulnerability tracked as CVE-2021-21972.
This vulnerability impacts vSphere Client (HTML5), a plugin of VMware vCenter, a type of server usually deployed inside large enterprise networks as a centralized management utility through which IT personnel manage VMware products installed on local workstations.
Last year, security firm Positive Technologies discovered that an attacker could target the HTTPS interface of this vCenter plugin and execute malicious code with elevated privileges on the device without having to authenticate.
Because of the central role of a vCenter server inside corporate networks, the issue was classified as highly critical and privately reported to VMware, which released official patches yesterday, on February 23, 2021.
Due to the large number of companies that run vCenter software on their networks, Positive Technologies initially planned to keep details about this bug secret until system administrators had enough time to test and apply the patch.
However, the proof-of-concept code posted by the Chinese researcher, and others, effectively denied companies any grace period to apply the patch and also started a free-for-all mass-scan for vulnerable vCenter systems left connected online, with hackers hurrying to compromise systems before rival gangs.
Making matters worse, the exploit for this bug is also a one-line cURL request, which makes it easy even for low-skilled threat actors to automate attacks.
…
