The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory to confirm it is "aware of the likelihood" that attackers are attempting to exploit CVE-2021-21985.
This is a remote code execution vulnerability in the VMware vCenter Server and VMware Cloud Foundation. VMware patched the flaw on May 25 alongside CVE-2021-21986 and grouped the two under a critical security advisory. CVE-2021-21985 has a CVSSv3 score of 9.8/10 and CVE-2021-21986 has a score of 6.5/10.
"Although patches were made available on May 25, 2021, unpatched systems remain an attractive target and attackers can exploit this vulnerability to take control of an unpatched system," CISA officials wrote in the advisory.
In its description of CVE-2021-21985, VMware explained the vSphere Client (HTML5) contains a remote code execution flaw due to lack of input validation in the Virtual SAN Health Check plug-in that is enabled by default in vCenter Server. An attacker with network access to port 443 can exploit this issue "to execute commands with unrestricted privileges" on the underlying operating system that hosts vCenter Server.
"The affected Virtual SAN Health Check plug-in is enabled by default in all vCenter Server deployments, whether or not vSAN is being used," company officials wrote.