Researchers are sounding the alarm bells, noting that hackers are desperately scanning the internet for unpatched VMware servers that contain a dangerous code-execution vulnerability.
The vSphere Client (HTML5) contains a remote code execution vulnerability (CVE-2021-21972) in a vCenter Server plugin, meaning hackers with the right network access (to port 443, according to VMware) can execute commands with unrestricted privileges on the underlying operating system hosting the vCenter Server.
After issuing a patch this Feb. 23, VMware gave the vulnerability a score of 9.8, also known as a “Critical” rating, on its severity range.
The next day, cybersecurity researcher Troy Mursch of Bad Packets said hackers were actively searching for vulnerable servers.
“We’ve detected mass scanning activity targeting vulnerable VMware vCenter servers (https://vmware.com/security/advisories/VMSA-2021-0002.html),” Mursch tweeted Wednesday.
We’ve detected mass scanning activity targeting vulnerable VMware vCenter servers (https://t.co/t3Gv2ZgTdt).
Query our API for “tags=CVE-2021-21972” for relevant indicators and source IP addresses. #threatintel https://t.co/AcSZ40U5Gp
— Bad Packets (@bad_packets) February 24, 2021
Bad Packets tweeted that there are nearly 15,000 vCenter servers exposed to the internet, some of which are based in Canada.
CVE-2021-21972 activity detected from hosts in:
🇦🇱
🇧🇷
🇨🇦
🇨🇳
🇮🇳
🇮🇩
🇳🇱
🇰🇷
🇨🇭
🇦🇪
🇬🇧
🇺🇸
🇻🇳 https://t.co/kOfqzW2Rmi— Bad Packets (@bad_packets) February 25, 2021
VMware says CVE-2021-21972 affects vCenter Server versions 6.5, 6.7, and 7.01. Anyone running one of these versions should update immediately to the latest patches. If that’s not possible, VMware has published these workarounds.