Severity

High

Analysis Summary

Active exploitation of VMware vcenter servers has been detected targeting unpatched VMware vcenter servers. Different ips have been found. The vulnerability affects machines running vCenter Server versions 6.7, and 7.0 VMware urges administrators to act immediately under the assumption that an adversary is already on the network, ready to take advantage.

CVE-2021-22005

VMware vCenter Server and Cloud Foundation could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions by the Analytics service. A remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system.

Impact

• Remote Code Execution
• Unauthorized Access

Indicators of Compromise

IP

• 199.249.230.154

Remediation

Refer to vendor advisory for the complete list of affected products and their respective patches.