VMware vCenter Server Vulnerability CVE-2021-22005 Under Active Exploit
On September 24, 2021, VMware confirmed reports that CVE-2021-22005 is being exploited in the wild. Security researchers are also reporting mass scanning for vulnerable vCenter Servers and publicly available exploit code. Due to the availability of exploit code, CISA expects widespread exploitation of this vulnerability.
To mitigate CVE-2021-22005, CISA strongly urges critical infrastructure entities and other organizations with affected vCenter Server versions to take the following actions.
- Upgrade to a fixed version as quickly as possible. See VMware Security Advisory VMSA-2021-0020 for patching information.
- Apply the temporary workaround provided by VMware, if unable to upgrade to a fixed version immediately. See VMware’s workaround instructions for CVE-2021-22005.
Unlike the version that started to circulate at the end of last week, this variant can be used to open a reverse shell on a vulnerable system, allowing remote attackers to execute code of their choice.
The vulnerability does not require authentication and allows attackers to upload a file to the vCenter Server analytics service.
VMware describes the vulnerability as being exploitable “by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server.”
Please reach out to our support team if you have any questions or need assistance with getting these patches applied.