On the 25th of May VMWare published a patch to a critical vulnerability in vCenter Server. This vulnerability affects vCenter Server versions 6.5, 6.7 and 7.0. The vulnerability is tracked as CVE-2021-21985. Additionally, a slightly less serious vulnerability with number CVE-2021-21986 is patched.
The vulnerabilities CVE-2021-21985 in vCenter Server enables an unauthenticated attacker who has access to port 443 to execute commands with unrestricted privileges. We assess the impact of this vulnerability as high.
This attack is relatively easy to exploit. Therefore the risk of an attacker exploiting this vulnerability is high.
VMware provided a patch to resolve the listed vulnerabilities, and advises to perform an emergency patch as quickly as possible. A workaround/mitigation is available: marking specific plugins in vCenter as incompatible . VMware advises against this, as it disables certain vSAN-functionality.
What does Northwave do?
Northwave is investigating the possibilities for monitoring exploitation attempts of this vulnerability, and will implement detection rules when possible.
Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. If you need additional information you can call us by phone or send us an email.