Organizations running vCenter Server and VMware Cloud Foundation are urged to apply fixes deployed on May 25.
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory to confirm it is "aware of the likelihood" that attackers are attempting to exploit CVE-2021-21985.
This is a remote code execution vulnerability in the VMware vCenter Server and VMware Cloud Foundation. VMware patched the flaw on May 25 alongside CVE-2021-21986 and grouped the two under a critical security advisory. CVE-2021-21985 has a CVSSv3 score of 9.8/10 and CVE-2021-21986 has a score of 6.5/10.
"Although patches were made available on May 25, 2021, unpatched systems remain an attractive target and attackers can exploit this vulnerability to take control of an unpatched system," CISA officials wrote in the advisory.
In its description of CVE-2021-21985, VMware explained the vSphere Client (HTML5) contains a remote code execution flaw due to lack of input validation in the Virtual SAN Health Check plug-in that is enabled by default in vCenter Server. An attacker with network access to port 443 can exploit this issue "to execute commands with unrestricted privileges" on the underlying operating system that hosts vCenter Server.
"The affected Virtual SAN Health Check plug-in is enabled by default in all vCenter Server deployments, whether or not vSAN is being used," company officials wrote.
Read the full CISA advisory and VMware blog post for more information.
About the Author(s)
You May Also Like
Securing Code in the Age of AI
April 24, 2024Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024