A working exploit for the CVE-2021-22005 VMware vCenter flaw has been made publicly available and is reportedly being used by threat actors, warn security researchers.
Unlike the version that started making rounds at the end of last week, a PoC code released on Monday by Rapid7 security engineer William Vu (who is known on Twitter as wvu) allows to open a reverse shell on a vulnerable system, allowing remote attackers to execute arbitrary code. The exploit works against endpoints with the Customer Experience Improvement Program (CEIP) component enabled.
Will Dormann, vulnerability analyst at the CERT/CC, also confirmed on Twitter that the exploit for CVE-2021-22005 is now fully public.
CVE-2021-22005 is an arbitrary file upload vulnerability within the Analytics service of vCenter Server, which allows a remote non-authenticated attacker to upload and execute an arbitrary file on the server and thus fully compromise the system. The bug affects vCenter Server 6.5, 6.7, and 7.0.
On September 24, VMware had confirmed reports that CVE-2021-22005 was being exploited in the wild and multiple security researchers reported mass scanning for vulnerable vCenter Servers.
VMware has released Security Advisory VMSA-2021-0020 for patching information and also provided temporary workaround for CVE-2021-22005 for those unable to upgrade to a fixed version immediately.
In an advisory on Friday, the US Cybersecurity and Infrastructure Security Agency (CISA) also urged critical infrastructure entities and other organizations with affected vCenter Servers update the machines immediately or to apply the temporary workaround from VMware.