CISA Warns RCE Vulnerability in VMware Exploited in Cyberattacks

A critical severity vulnerability in VMware’s Cloud Foundation was added to the CISA’s list of security flaws exploited in the wild. The vulnerability, known as CVE-2021-39144, was discovered in the XStream open-source library, which is utilized by vulnerable VMware products, and was assigned a nearly maximum severity score of 9.8/10 by VMware. The vulnerability can be exploited in low-complexity cyberattacks by unauthenticated threat actors that don’t require user interaction to remotely execute arbitrary code with root privileges on unpatched appliances. Malicious threat actors can obtain remote execution in the role of “root” on appliances due to unauthenticated endpoints that employ XStream for input serialization in VMware Cloud Foundation (NSX-V). Security updates were released on October 25^th to address the CVE-2021-39144 vulnerability by researchers. Due to the severity of the problem, VMware released updates for some discontinued products. A post was published about the technical details and proof-of-concept (PoC) exploit code on the day CVE-2021-39144 patches were released.

VMware Exploited in RCE Vulnerability

Adding the CVE-2021-39144 vulnerability to the CISA’s Known Exploited Vulnerabilities (KEV) list comes after VMware confirmed that the flaw was exploited in the wild. The updated advisory contains information VMware received about the CVE-2021-39144 exploitation activities in the wild which the company noted as part of the original advisory. A cybersecurity company disclosed that the CVE-2021-39144 exploitation began within weeks after security updates were released and has been continuing since early December 2022. Every day, the cybersecurity team finds and analyzes numerous vulnerabilities, and the CVE-2021-39144 vulnerability is very interesting because it was exploited over 40,000 times in the last two months. The impact of the vulnerabilities can be devastating if successfully exploited, allowing threat operators to execute arbitrary code, steal data, and/or have full control of network infrastructures.

The United States federal agencies were ordered by CISA to safeguard their systems against cyberattacks within three weeks, until March 31^st, to combat attacks that can target their networks. Even though the binding operational directive (BOD 22-01) underlying CISA’s order only applies to United States federal agencies, the cybersecurity company has strongly recommended all companies patch the flaw to protect their servers from ongoing cyberattacks. The vulnerabilities are common attack vectors for malicious threat actors, posing considerable threats to federal enterprises.

With new and current vulnerabilities being exploited by malicious threat actors to target vulnerable data networks, it’s important for companies to always remain vigilant of the latest threat landscape and regularly release security patches to prevent future exploitations. At SpearTip, our team of engineers focuses on restoring companies’ operations, isolating malware to reclaim their networks, and recovering business-critical assets. With our risk assessment service, we designed our risk assessment for each client to uncover gaps in security which is done by a technical summary complete with an individualized risk report detailing necessary steps to remediate the gaps. Our engineers continuously work 24/7/365 at our Security Operations Center monitoring companies’ networks for potentially exploited vulnerabilities. The ShadowSpear platform, our managed detection and response tool, utilizes detection engines powered by artificial intelligence (AI) and attack tactics, techniques, and procedures (TTP) models to detect malicious activities.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.