An exploit for the recently fixed RCE vulnerability in VMware vCenter (CVE-2021-22005) has been published online. Experts warned that hackers had already adopted the exploit.
The issue CVE-2021-22005 became known last week. Then VMware engineers reported that they fixed the bug and recommended that users install updates as soon as possible, because the vulnerability is classified as critical and received 9.8 points out of 10 on the CVSS scale. The bug is dangerous for machines running vCenter Server versions 6.7 and 7.0.
According to information security company Bad Packets, network scanning in search of vulnerable machines began last week. The attacks came from Canada, the United States, Romania, the Netherlands, China and Singapore.
Bad Packets specialist Troy Mursch told Bleeping Computer that the attacks recorded by the company’s honeypots used code based on an incomplete exploit previously published by Vietnamese security researcher Yang.
Young studied the VMware patch and the company’s proposed workarounds, and then published an article with his findings on the vulnerability, as well as a PoC exploit (which was incomplete and did not lead to remote code execution). Alas, these details were enough for the hackers to create their own working exploit for CVE-2021-22005, which allows remote code execution with root rights.
Young told Bleeping Computer that he believed it would take an average attacker about an hour to create a working and reliable version of the exploit. He strongly recommends that administrators defend against CVE-2021-22005 attacks as soon as possible.
The researcher also posted a video demonstrating how an attacker could exploit the vulnerability.
IoT search engines currently find thousands of available VMware vCenter Server instances on the Internet. So, Shodan finds more than 5000 cars , and Censys about 6800 . Of course, not all of these servers are vulnerable to CVE-2021-22005. For example, Censys notes that 3,264 hosts are “potentially vulnerable,” and 436 have already patched them.