On September 21, 2021, VMware released a statement detailing how Internet-exposed vCenter servers are actively being targeted by attackers. The attackers are exploiting a ransomware-friendly security flaw, CVE-2021-22005, by performing mass scans for unpatched vCenter appliances. Initially reported by SolidLab LLC, the flaw is a file upload vulnerability that can be exploited by anyone who can reach a vCenter server and execute remote code, granting the attacker access regardless of configuration settings.
As of now, scanning activity has been seen coming from this IP address 116[.]48.233.234. It has been reported that the scans use workaround information provided by VMware for the customers who didn’t immediately patch their appliances when several vulnerabilities were discovered throughout the winter and summer of 2021. The vulnerabilities include a flaw (CVE-2021-21972) affecting all default vCenter installs, as well as an RCE exploit (CVE-2021-21985). There are also 17 other VMware vulnerabilities that need attention, however; VMware stated those vulnerabilities are not nearly as critical as CVE-2021-22005.
Leaving vCenter servers unpatched is not recommended. If servers are left unpatched, attackers could gain control over desktop and user accounts, stealing confidential data and intellectual property. The data they steal could be used as they patiently and quietly wait to break into other systems over long periods of time – making it their mission to install ransomware and extort payment.
CVE-2021-22005 impacts the following vCenter Servers: 6.5, 6.7, and 7.0.