Mass scan for vulnerable VMware vCenter instances

[German]If you administrate VMware vCenter instances, make sure they are patched to the latest version. Currently, hackers seem to be scanning the Internet for unpatched VMware vCenter instances. The goal: to take over these vCenter instances for their own purposes – so there is a risk of unpleasant surprises.


Critical vulnerabilities in vSphere

I had pointed out the issue a few days ago in the blog post VMware fixes critical RCE vulnerabilities im vSphere HTML5 client. VMware warns its users about critical RCE vulnerabilities in the vSphere HTML5 Client and other products. Security Advisory VMSA-2021-000 lists vulnerabilities CVE-2021-21972, CVE-2021-21973, CVE-2021-21974 in the following products:

  • VMware ESXi
  • VMware vCenter Server (vCenter Server)
  • VMware Cloud Foundation (Cloud Foundation)

Some of these vulnerabilities are listed with a severity level of 9.8 (up to a scale of 10). Security updates are now available for the affected product.

Warning of an attack

Currently, thousands of unpatched vSphere instances appear to be accessible via the Internet. Arstechnica writes here that already one day after the VMware security warning, a proof of concept was available from various sources.  

Scanings of vulnerable VMware vCenter servers

Security researchers from Bad Packets warned in the above tweet on February 24, 2021, that they have observed mass scans for these instances. Security researcher Troy Mursch of Bad Packets said the BinaryEdge search engine found nearly 15,000 vCenter servers accessible from the Internet. A Shodan search yielded about 6,700 hits. The mass scan aims to identify servers that have not yet installed the patch, which VMware released in February 2021.


Vulnerability CVE-2021-21972 allows hackers to upload unauthorized files to vulnerable vCenter servers that are publicly accessible via port 443. This was discovered by security researchers at Tenable. The vulnerability results from a lack of authentication in the vRealize Operations plugin, which is installed by default. Successful exploits result in hackers gaining unrestricted remote code execution rights in the underlying operating system.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Virtualization and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *