Recently, VMware disclosed that its vCenter Server is affected by an arbitrary file upload vulnerability — CVE-2021-22005 — in the Analytics service. A malicious cyber actor with network access to port 443 can exploit this vulnerability to execute code on the vCenter Server.


John Bambenek, Principal Threat Hunter at Netenrich, a San Jose, Calif.-based digital IT and security operations company, says, “Remote code execution as root on these types of devices is pretty significant. Almost every organization operates virtual machines, and if I have root access, I could ransom every machine in that environment or steal the data on those virtual machines with relative ease.”


On September 24, 2021, VMware confirmed reports that CVE-2021-22005 is being exploited in the wild. Security researchers are also reporting mass scanning for vulnerable vCenter Servers and publicly available exploit code. Due to the availability of exploit code, The Cybersecurity and Infrastructure Security Agency (CISA) expects widespread exploitation of this vulnerability.


Alec Alvarado, Threat Intelligence Team Lead at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, says, “With a nearly functional proof of concept (PoC) out there, technically sophisticated threats interested in leveraging the vulnerability already are leveraging it. If and when a complete PoC is published, it opens the door for less sophisticated actors who want in.”


To mitigate CVE-2021-22005, CISA strongly urges critical infrastructure entities and other organizations with affected vCenter Server versions to take the following actions.


Bud Broomhead, CEO at Viakoo, a Mountain View, Calif.-based provider of automated IoT cyber hygiene, explains, “Managing patches manually leaves an organization at risk due to the slow (or non-existent) nature of the process, leaving an organization vulnerable. This is especially true regarding IoT vulnerabilities. Moving forward, automated solutions will continue to be of the utmost necessity.