Cyber criminals are scanning the internet for vulnerable VMware vCenter servers that are unpatched against a critical remote code execution flaw that was addressed last month end.
The ongoing activity was detected by Bad Packets which was confirmed by security researcher Kevin Beaumont.
Troy Mursch, chief research officer at Bad Packets tweeted that mass scanning activity was detected from 188.8.131.52 checking for VMware vSphere hosts vulnerable to remote code execution.
A proof-of-concept (PoC) RCE exploit code targeting the VMware vCenter bug was published.
The bug tracked as CVE-2021-21985 (CVSS score 9.8), is a consequence of a lack of input validation in the Virtual SAN (vSAN) Health Check plug-in, which could be abused by a threat actor to execute commands with unrestricted privileges on the underlying operating system that hosts the vCenter Server.
Even though VMware had rectified the flaw on May 25, The users are strongly recommended to apply the emergency change immediately.
The malicious actors have opportunistically mass scanned the internet for vulnerable VMware vCenter servers before also. A similar remote code execution vulnerability (CVE-2021-21972) that was patched by VMware in February was targeted in order to exploit and take control of unpatched systems.
At least 14,858 vCenter servers were found reachable over the internet at the time, according to Bad Packets and Binary Edge.