Mass Scanning For VMWare vCenter RCE

June 7, 2021 05:35 PM

Attackers are actively scanning for two critical remote command execution (RCE) vulnerabilities in VMWare vCenter servers.

Download the Complete Alert

Attackers are actively scanning for two critical remote command execution (RCE) vulnerabilities in VMWare vCenter servers. The first vulnerability, tracked as CVE-2021-21972, allows remote malicious actors unrestricted access to the host operating system. The vulnerability has a critical score of 9.8 and was disclosed in February of this year. Functioning proof of concepts and mass scanning activity followed within a few days after the disclosure. Recently, the vulnerability has been found weaponized by cryptomining Python botnet "Necro."

The second RCE vulnerability, tracked as CVE-2021-21985, also allows remote actors unrestricted access to the host operating system and also has a critical score of 9.8. The vulnerability was disclosed on May 25th, and by June 2nd, a blog post surfaced with technical details of the exploit. The details for weaponization of CVE-2021-21985 have only been available for three days at the time of writing and malicious activity is ramping up quickly.

vSphere servers are a hot commodity for malicious actors as they reside inside enterprise networks or virtual private clouds and provide reasonably large amounts of CPU and memory resources. From cryptojacking and ransomware to leveraging as malicious infrastructure or as a jump host for lateral movement and espionage/extortion, vulnerable and exposed servers are easily located and will be abused by malicious actors.


On February 23, 2021, VMWare disclosed a RCE vulnerability through the vSphere HTML5 client in a vCenter Server plugin. The severity of the issue was evaluated to be critical with a CVSSv3 score of 9.8. A malicious actor with network access to the server could exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts the vCenter Server. The privately reported vulnerability was disclosed simultaneously with a patch that fixed the issue in advisory VMSA-2021-0002.

On February 24, 2021, Mikhail Klyuchnikov of Positive Technologies published detailed results of his research from the autumn of 2020 that led to the discovery of the vulnerability. Positive Technologies originally planned to delay the release of the technical details to give organizations time to patch their vCenter servers, but after two functioning PoC exploits were already released and attackers started scanning for unpatched servers, they published earlier.


Continue Reading...

Click here to download the full ERT Threat Alert.

Download the full threat alert Now

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center