6,700 VMware vCenter servers exposed to hackers

Thousands of VMware vCenter servers are currently exposed online and vulnerable to a new attack that can allow hackers to take over devices. The exploit for this bug is also a one-line cURL request, which makes it easy even for low-skilled threat actors to automate attacks.

VMware has taken this bug very seriously and has assigned a severity score of 9.8 out of a maximum of 10 and is now urging customers to update their systems as soon as possible.

Impacted Products

  • VMware ESXi
  • VMware vCenter Server
  • VMware Cloud Foundation

Users of these products are well-advised to head over to the official VMware response page at https://www.vmware.com/security/advisories/VMSA-2021-0002.html

Advisory ID:VMSA-2021-0002
CVSSv3 Range:5.3-9.8
Issue Date:2021-02-23
Updated On:2021-02-23 (Initial Advisory)
CVE(s):CVE-2021-21972, CVE-2021-21973, CVE-2021-21974
Synopsis:VMware ESXi and vCenter Server updates address multiple security vulnerabilities (CVE-2021-21972, CVE-2021-21973, CVE-2021-21974)

Twitter user @bad_packets has reported-

We’ve detected mass scanning activity targeting vulnerable VMware vCenter servers (https://vmware.com/security/advisories/VMSA-2021-0002.html).

Query our API for “tags=CVE-2021-21972” for relevant indicators and source IP addresses. #threatintel