A fully working exploit for the remote code execution vulnerability in VMware vCenter labelled as CVE-2021-22005 is now publicly accessible, and is being exploited in the wild.
In contrast to the version that began to circulate at the end of last week, this variation can be used to open a reverse shell on a vulnerable system, permitting remote attackers to launch code of their preference. The flaw requires no authentication and permits intruders to upload a file to the vCenter Server analytics service.
On Monday, exploit writer wvu published a declassified exploit for CVE-2021-22005 which targets endpoints that have the Customer Experience Improvement Program (CEIP) component activated, which is the default setting.
Moreover, VMware defines the vulnerability as exploitable "by anyone who can reach vCenter Server over the network to gain access, regardless of vCenter Server's configuration settings." wvu describes what their code does at every level in a technical study released this week, beginning with a request that generates the directory required for path traversal and schedules the spawn of a reverse shell.
Although the exploit creates several files, the attack is not logged by standard solutions, as per the researcher, who suggests utilizing the Audit framework, which gathers data on both security and non-security-related events.
On September 21, VMware published CVE-2021-22005, with a severe severity rating of 9.8 out of 10, and a piece of clear advice for companies to consider “an emergency change” in accordance with ITIL best methods for handling IT services, and patch “as soon as possible.”
CISA also encouraged major infrastructure firms with susceptible vCenter servers to prioritize upgrading the machines or use VMware's interim fix in a warning issued on Friday.
The initial proof-of-concept exploit code was made public four days later. Although the code was inactive in its initial version, it could readily be exploited to accomplish remote code execution, and attacks began quickly.
Following an analysis of the unfinished code, CERT/CC vulnerability expert Wil Dormann stated that "the missing portion from this PoC will indeed keep away script kiddies, but not any determined actor,” adding that a complete attack should be available shortly.
Threat actors showed interest in it just hours after VMware reported the vulnerability, and they rapidly developed a workable attack using the unfinished code that security researcher Jang provided last week along with some technical comments.
With a fully functional vulnerability being accessible, the number of attacks is estimated to escalate as less-skilled actors can engage.VMware alerted that becoming the victim of a ransomware assault is one of the most serious threats to a company.