Caleb Boma | February 25th, 2021


VMware vCenter servers are being scanned at a high rate due to a newly discovered vulnerability which allows threat actors to infiltrate unpatched devices and control company networks.

Critical Vulnerability Exposes VMware Servers

The vulnerability listed as CVE-2021-21972 has a Common Vulnerability Scoring System (CVSS) score of 9.8. The remote code execution vulnerability affects a plugin of VMware VCenter called vSphere Client. This plugin is a server used in enterprise networks as a management tool where IT personnel control VMware products on employee machines.

Since VCenter servers control many different machines within networks, the vulnerability is issued with high criticality. Thereat actors can exploit the vulnerability easily since it’s only a one-line cURL request. 6,700  VMware VCenter servers are connected to the internet which means they’re all vulnerable until system administrators can successfully apply VMware’s patches.

The researchers at Positive Technologies who discovered the vulnerability in October 2020 wanted to quietly notify those using it to patch. Unfortunately, an independent researcher published proof of concept (PoC). This allowed threat actors to discover the vulnerability, and in turn, scans for the unprotected servers skyrocketed.

How to patch:

VMware has issued official patches for all vulnerable versions.

VMware has also listed two other products, VMware ESXi and VMware Cloud Foundation, which have been impacted.

VMware’s ESXi was targeted last year by RansomExx, Babuk Locker, and Darkside ransomware, so it is apparent threat actors are looking to take control of servers with connection to many different networks as they can spread their ransomware to more than one victim at a time.

When a vulnerability like this is discovered, the engineers in our 24/7 Security Operations Center are working to patch them on any client networks immediately. Even if the patches were not completed before threat actors infiltrated networks, our ShadowSpear® Platform would block any malicious executables attempting to run on machines, and ShadowSpear® would neutralize threats by isolating the host ensuring the spread to other portions of the network is not possible.

Three modules make up the ShadowSpear® Platform and work cohesively to stop cyber threats for any organization in any industry.

Identify has cloud SIEM capabilities and provides custom dashboards, queries, and filters in one place for easy viewing.

Neutralize equips organizations with next-gen antivirus and a Security Operations Center waiting to respond to threats. It instantly prevents advanced malware and exploitation techniques on deployment.

Counter gives our Security Operations Center the ability to react to threats with one of the quickest response times in the industry. Counter also collects forensic artifacts, executes response scripts and isolates hosts, which is a surefire way to combat criminal adversaries.

SpearTip’s cyber experts continuously monitor environments 24/7 in our US-based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you are experiencing a breach, please call our Security Operations Center at 833.997.7327.


Connect With Us

Featured Articles

Cybersecurity Health Checks
Cybersecurity Health Checks: Why Companies Need Them
22 April 2024
New Loop DoS Attack
New Loop DoS Attack Affecting Linux Systems
19 April 2024
Possible Cyberattack
Possible Cyberattack During 2024 Summer Olympics
15 April 2024
Tabletop Exercises
Tabletop Exercises: Transformative Impact on Companies
12 April 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.