CISA Warns Criminals Seek to Exploit Critical VMware Bug

Organizations running vCenter Server and VMware Cloud Foundation are urged to apply fixes deployed on May 25.

Dark Reading Staff, Dark Reading

June 8, 2021

1 Min Read

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory to confirm it is "aware of the likelihood" that attackers are attempting to exploit CVE-2021-21985.

This is a remote code execution vulnerability in the VMware vCenter Server and VMware Cloud Foundation. VMware patched the flaw on May 25 alongside CVE-2021-21986 and grouped the two under a critical security advisory. CVE-2021-21985 has a CVSSv3 score of 9.8/10 and CVE-2021-21986 has a score of 6.5/10.

"Although patches were made available on May 25, 2021, unpatched systems remain an attractive target and attackers can exploit this vulnerability to take control of an unpatched system," CISA officials wrote in the advisory.

In its description of CVE-2021-21985, VMware explained the vSphere Client (HTML5) contains a remote code execution flaw due to lack of input validation in the Virtual SAN Health Check plug-in that is enabled by default in vCenter Server. An attacker with network access to port 443 can exploit this issue "to execute commands with unrestricted privileges" on the underlying operating system that hosts vCenter Server.

"The affected Virtual SAN Health Check plug-in is enabled by default in all vCenter Server deployments, whether or not vSAN is being used," company officials wrote.

Read the full CISA advisory and VMware blog post for more information.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights