VMware vCenter under widespread attack

A set of vulnerabilities in the VMware vCenter virtualisation management platform and the company's Cloud Foundation are under active attack currently with users strongly adviced to patch their instances as soon as possible.

The bugs allow for remote code execution, with proof-of-concept code for one of them now being published on social media that uses built-in UNIX shell tools for exploitation.

Other proof-of-concept code is appearing for the other VMware vulnerabilities, but researchers are holding back on publishing full details to allow admins to patch their installations first.

Notes:
- CVE-2021-22005 is TWO different vulnerabilities. ��
- The missing part from this PoC will indeed keep away script kiddies, but not any determined actor.
- I haven't seen a complete exploit published yet, but surely it'll only a BRIEF amount of time before that happens. https://t.co/KgHWwtkUU1 pic.twitter.com/DxhxoKaDUO

— Will Dormann (@wdormann) September 27, 2021

Security researchers have detected mass exploitation attempts taking place.

CVE-2021-22005 activity detected from the following hosts targeting our VMware vCenter honeypots:

112.120.42.194 (����)
58.187.174.106 (����)
169.51.60.221 (����)
206.189.87.217 (����)
95.211.95.232 (����)
194.233.71.145 (����)
66.42.35.25 (����)
13.251.1.199 (����)
#threatintel

— Bad Packets (@bad_packets) September 28, 2021

VMWare has acknowledged the multiple critical vulnerabilities in its vCenter Server and Cloud Foundation products, and is advising customers to act immediately to remedy the bugs as not doing so may have serious ramifications.

The company has also confirmed the vulnerabilities are being exploited in the wild currently.

Updates are available from VMware that resolve the vulnerabilities, the most serious of which is a vCenter file upload bug that's rated as 9.8 out of a maximum 10 severity on the Common Vulnerabilities and Exposures (CVE) list. The bug allows for remote code execution.