The U.S Department of Homeland Security’s Cybersecurity and Infrastructure agency has warned companies to update and apply patches to VMware Center Server and VMware Cloud Foundation software after critical vulnerabilities were found exploited in the wild.

The two vulnerabilities, formally named CVE-2021-21985 and CVE-2021-21986, were both detailed and patched by VMware on May 25. As is often the case with all types of software and hardware, users often either delay patching or don’t regularly apply updates.

“Although patches were made available on May 25, 2021, unpatched systems remain an attractive target and attackers can exploit this vulnerability to take control of an unpatched system,” the June 4 CISA advisory states.

CVE-2021-21985 is described as a remote code execution flaw caused by a lack of input validation in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server. It has a CVSSv3 severity score of 9.8 out of 10. CVE-2021-21986 is a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager and VMware Cloud Director Availability plug-ins. It has a severity score of 6.5.

In the case of both vulnerabilities, the attack vector involves a malicious actor with network access to port 443 exploit the vulnerabilities to issue and execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

Hackers looking for vulnerable VMware vSphere hosts were detected and reported by Bad Packers on Twitter on June 3. Security researcher Kevin Beaumont also said on Twitter that he had also detected an IP address scanning for the vulnerability on his security honeypots that were running an unpatched VMware vSphere.

Bad Packets posted several days later that it had detected further scanning targeting the VMware vulnerability.

CVE-2021-21985 exploit activity detected from 119.28.15.199 (🇭🇰) based on this PoC (https://t.co/qhBbHdOaK4) targeting our VMware vCenter honeypot.

Query our API for "source_ip_address=119.28.15.199" for full payload and other relevant indicators. #threatintel

— Bad Packets (@bad_packets) June 5, 2021

VMware noted that the affected Virtual SAN Health Check plug-in is enabled by default in all vCenter Server deployments, whether or not vSAN is being used.

Photo: Robert Hof/SiliconANGLE