Threat Watch

Thousands of VMware vCenter Servers Remain Open to Attack Over the Internet

Three weeks after company VMWare disclosed two critical vulnerabilities in the workload management utility, many organizations have not patched the technology yet, security vendor says. Thousands of instances of VMware vCenter Servers with two recently disclosed vulnerabilities in them remain publicly accessible on the Internet three weeks after the company urged organizations to immediately patch the flaws, citing their severity. The flaws, CVE-2021-21985 and CVE-2021-21986, basically give attackers a way to take complete control of systems running vCenter Server, a utility for centrally managing VMware vSphere virtual server environments. The vulnerabilities exist in vCenter Server versions 6.5, 6.7, and 7.0. “The vulnerabilities are critical and can result in complete system takeover via remote code exploitation,” said Karl Sigler of Trustwavesays. The flaws are also relatively easy to exploit for any attacker with even a rudimentary understanding of HTTP and so-called REST application programming interfaces. “An attacker wouldn’t even need specialized tools or software, as an entire attack can be performed with standard tools like ‘curl,'” Sigler says.


Even if a company’s instance of vCenter Server is not exposed to the Internet, the safest stance is to assume that attackers may already have a foothold in the network using techniques such as phishing or spear phishing. This vulnerability is critical, can result in complete system takeover, and is simple to exploit. IT administrators should download and apply this patch as soon as possible to mitigate the threat.—threats/thousands-of-vmware-vcenter-servers-remain-open-to-attack-over-the-internet/d/d-id/1341310