Threat actors are actively scanning the internet in search of VMware vCenter servers vulnerable to a critical arbitrary file upload vulnerability that could lead to remote code execution.

The flaw, tracked as CVE-2021-22005, exists due to insufficient validation of file during file upload within the Analytics service. A remote non-authenticated attacker with network access to port 443/TCP can upload and execute arbitrary file on the server. CVE-2021-22005 impacts any version of vCenter Server 7.0 and vCenter Server 6.7 running on Virtual Appliance (e.g. vCenter Server 6.7 running on Windows is not affected).

According to the infosec company Bad Packets that first reported ongoing scanning activity, “CVE-2021-22005 scanning activity detected from 116[.]48.233.234”. In another message on Twitter the company added that scans are based on the workaround provided by VMware to customers who could not immediately update their appliances.

Earlier this month, multiple security researchers warned that hackers are actively scanning the internet for unprotected Azure Linux-based servers vulnerable to the recently patched OMIGOD flaw in order to deploy cryptomining software or ensnare them into a DDoS botnet.