VMware has confirmed that a critical vCenter Server remote code execution vulnerability patched in October is now under active exploitation.
vCenter Server is a management platform for VMware vSphere environments that helps administrators manage ESX and ESXi servers and virtual machines (VMs).
The vulnerability was reported by Trend Micro vulnerability researcher Grigory Dorodnov and is caused by an out-of-bounds write weakness in vCenter’s DCE/RPC protocol implementation.
Attackers can exploit it remotely in low-complexity attacks with high confidentiality, integrity, and availability impact that don’t require authentication or user interaction. Due to its critical nature, VMware has also issued security patches for multiple end-of-life products without active support.
Network access brokers like to take over VMware servers and then sell on cybercrime forums to ransomware gangs for easy access to corporate networks. Many ransomware groups (like Royal, Black Basta, LockBit, and, more recently, RTM Locker, Qilin, ESXiArgs, Monti, and Akira) are now known for directly targeting the victims’ VMware ESXi servers to steal and encrypt their files and demand huge ransoms.
According to Shodan data, more than 2,000 VMware Center servers are currently exposed online, potentially vulnerable to attacks and exposing corporate networks to breach risks given their vSphere management role.
Because there is no workaround, VMware has urged admins who can’t patch their servers to strictly control network perimeter access to vSphere management components.
“VMware strongly recommends strict network perimeter access control to all management components and interfaces in vSphere and related components, such as storage and network components, as part of an overall effective security posture,” the company warned.
The specific network ports linked to potential exploitation in attacks targeting this vulnerability are 2012/tcp, 2014/tcp, and 2020/tcp.
In June, VMware also fixed multiple high-severity vCenter Server security flaws posing code execution and authentication bypass risks to vulnerable servers.
Since the start of the year, IT admins and security teams have had to address warnings of multiple security vulnerabilities under active exploitation, including zero-days affecting Ivanti Connect Secure, Ivanti EPMM, and Citrix Netscaler servers.