VMWare ESXi: Attacks on 2 year old gap

A vulnerability in VMWare ESXi that was fixed in early 2021 is now under active attack. Companies that didn’t bother to apply the fix back then should start looking into it now.


The Italian cyber security authority ACN is currently warning companies of a hacker group exploiting a vulnerability in VMWare ESXi that has been fixed two years ago. French, British, US and Canadian authorities also reported attacks.

Since malicious code may also have been left behind on the infected systems, it is not enough to apply the fix that has been available for two years. In addition to the patch, extensive diagnostics are required for the attacked systems.


Vulnerability CVE-2021-21972

Although the ACN warning does not disclose exactly which vulnerability is being exploited, a corresponding dangerous vulnerability was fixed in February 2021. CVE-2021-21972 had already been known for a year at the time .

The discoverer, security researcher Mikhail Klyuchnikov, was able to use it to send unauthorized requests to the web panel of the vSphere client. VSXi is the hypervisor of vSphere and is therefore directly connected to it. The directory traversal vulnerability makes it possible to unpack files anywhere in the vulnerable system using simple character strings.

Since vSphere can be accessed from the web without additional user settings, the service is always vulnerable to the vulnerability. Attackers only have to scan en masse for non-updated devices in order to be able to access various services.

Particularly problematic: There is even an old gap free and easily accessible Expoloit on Github.

Sources: golem. de & Security Insider