Rule released to protect against severe VMware vulnerability that attackers are exploiting in the wild

Cisco Talos released a SNORTⓇ rule over the weekend to protect against exploitation of a severe vulnerability in VMware's vSphere Client’s Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server.

An attacker with network access to this service can exploit this vulnerability to gain remote code execution on the affected vCenter Server.

Talos released the new rule, 57720, late Friday night after news broke that the vulnerability was being exploited in the wild and a security researcher published a proof of concept.

The vulnerability, tracked as CVE-2021-21985, exists in the software that allows users to manage virtualization in large data centers. 

VMware warned users in an advisory earlier this month that vCenter machines using the default configurations contained the vulnerability. An attacker could exploit this vulnerability to execute malicious code on machines that are connected to vCenter and are exposed to the internet.

You can subscribe to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing as well here. The Snort 3 release is also here after years of development and improvements. Upgrade here.