Hackers are attempting to exploit VMware vCenter Server RCE flaw

Well-known virtualization solution provider VMware recently issued an emergency security bulletin: The high-risk vulnerability in VMware vCenter Server is being exploited.

This vulnerability is scored 9.8 points (out of 10 points). At least one vulnerability has been exploited and published on the Internet, and hackers are actively scanning and attempting to launch an attack.

Hackers can use vulnerabilities to directly bypass any authentication mechanism and execute arbitrary code on the target device. At present, some servers have been hacked.

The number of the high-risk vulnerability that appeared this time is CVE-2021-21985. Researchers have found out the principle and method of exploiting the vulnerability and issued proof of concept.

Researchers said that the work of this vulnerability is very reliable, so it is very stable to use, and the code can be used for any malicious purpose with almost no additional work.

CVE-2021-21984

The reason for the vulnerability is that VMware uses certain default configurations in the configuration file. If the company does not modify the configuration, the relevant ports will be exposed to the public network.

Some researchers have discovered that many hackers are currently actively exploiting the vulnerability, and the server exposed by the honeypot test was installed the web shell within 35 minutes.

Researchers are very surprised that hackers tried to invade without installing mining software, which means that hackers want to hide in order to launch different types of attacks.

https://twitter.com/GossiTheDog/status/1400868390726733831

The US Cyber ​​Security and Infrastructure Security Agency under the US Department of Homeland Security also issued a warning immediately after receiving the notification, because this vulnerability was too harmful.

The main reason is that VMware vCenter Server is used by enterprises. This server can be used to centrally manage VMware virtual machines, so enterprises deploy more.

If an attacker takes control of the server, it may cause a more widespread attack, so it is necessary for the enterprise to install the update immediately or disconnect the network to avoid exposing the public network.

The US Cybersecurity and Infrastructure Security Agency stated that this vulnerability has been fixed, but there are still many companies that have not yet deployed the update and have become targets of attackers.

Therefore, it is necessary for the enterprise to deploy the update. If you are an enterprise administrator, please click here to view the security bulletin immediately and deploy the update according to the bulletin guide. This vulnerability was discovered by Ricter Z of 360 Noah Lab.