VMware fixed several bugs including a critical remote code execution vulnerability that affects vCenter Server management software and, if exploited, would allow hackers to execute arbitrary commands on the server and gain access to sensitive data.

Remote code execution vulnerabilities pose especially critical security threats to organizations, and VMware’s stronghold in data centers worldwide gives patching these flaws particular urgency.

“VMware is monitoring the situation, and we are not aware of any reports of active exploitation,” a company spokesperson said in an email to SDxCentral.

According to Positive Technologies, more than 6,000 VMware vCenter devices worldwide are accessible from the internet and contain the most critical vulnerability, CVE-2021-21972, which received a Common Vulnerability Scoring System score of 9.8 out of 10. About a quarter of these devices (26%) are located in the U.S.

Positive Technologies’ threat researcher Mikhail Klyuchnikov discovered the bug in the vSphere Client functionality. The main threat comes from insiders who have penetrated the protection of the network perimeter using other methods such as social engineering or web vulnerabilities, or who have access to the internal network using previously installed backdoors.

“In our opinion, the RCE vulnerability in the vCenter Server can pose no less a threat than the infamous vulnerability in Citrix (CVE-2019-19781),” Klyuchnikov said in a statement. “The error allows an unauthorized user to send a specially crafted request, which will later give them the opportunity to execute arbitrary commands on the server.”

This would allow the attacker to move through the corporate network and gain access to the data stored in the attacked system, such as information about virtual machines and system users, Klyuchnikov explained. “If the vulnerable software can be accessed from the Internet, this will allow an external attacker to penetrate the company's external perimeter and also gain access to sensitive data,” he said. “Once again, I would like to note that this vulnerability is dangerous, as it can be used by any unauthorized user.”

Earlier this month, Positive Technologies’ Egor Dimitrenko discovered a different high-severity vulnerability in the VMware vSphere Replication data replication tool.

The second vulnerability, (CVE-2021-21974), received an “important” severity CVSS score of 8.8. Trend Micro’s zero day threat researcher Lucas Leong found this flaw in the ESXi hypervisor and Cloud Foundation software stacks running that hypervisor. It’s a heap-overflow vulnerability, which attackers can exploit by corrupting data in specific ways to cause the application to overwrite internal structures.

This means an attacker in the same network segment as ESXi with access to port 427 could trigger the heap-overflow issue in OpenSLP service, thus resulting in remote code execution, according to the VMware security disclosure.

And finally, a server side request forgery (SSRF) vulnerability (CVE-2021-21973) also discovered by Klyuchnikov in a vCenter Server plugin, received a CVSS score of 5.3, or “moderate.” An attacker with network access could exploit this flaw by sending a POST request to vCenter Server plugin, which could lead to information disclosure.