• Netenrich
  • /
  • Blog
  • /
  • VMware vCenter Server Exploit: Threat of the Week

VMware vCenter Server Exploit: Threat of the Week

Post by Amanjot Kaur Sep 30, 2021

Date: September 29, 2021

In this week’s edition of Threat of the Week, John Bambenek talks about VMware vCenter Server. Attackers are actively exploiting this critical vulnerability that exposes vulnerable enterprise networks 


Who is affected by VMware vCenter Server Exploit? 

According to VMware security advisory, VMware vCenter Server (vCenter Server) and VMware Cloud Foundation (Cloud Foundation) were impacted.  

Why do you need to act now? 

Among the 19 vulnerabilities affecting the mentioned products, the vulnerability tracked as CVE-2021-22005 has a severity score of 9.8. It has been confirmed to be actively exploited in the wild by threat actors. A malicious threat actor with access to port 443 can exploit this vulnerability and execute code on vCenter Server.  

Several entities around the world appear to be scanning for the vulnerability with the workaround provided by VMware. Though VMware did not specify any specific number of devices at risk, it is estimated by Censys that around 7000 VMware vCenter servers on the public internet and 3,264 internet-facing hosts are potentially vulnerable. Out of these 3,264 hosts, only 436 are patched and 1,369 are either unaffected versions or have the workaround applied.  

Considering the increase in ransomware incidents, VMware has declared it an emergency change. Users are advised to patch their servers as soon as possible.  

What can you do about it? 

Affected organizations should immediately apply the patches for their vCenter Server 6.5, 6.7 and 7.0 as outlined in VMware’s public security advisory and supplemental clarification post.  

Organizations concerned that they may be exposed to this vulnerability, can find out their internet-facing assets and prioritize remediation by requesting a threat modelling report using our Attack Surface Management solution.

Other trending threats 

  • Microsoft has identified the use of FoggyWeb malware by Russian-linked Nobelium hacking group to deploy additional payloads and steal sensitive info from Active Directory Federation Services (ADFS) servers.   
  • Around 10 Million Android devices across 70 different countries have been infected by malware named Grifthorse
  • Bandwidth.com, a major hosting provider for VoIP services has been under a major distributed denial of service (DDoS) assault. The attack has impacted VoIP services such as Accent, Ring Central, Twilio, and more. The attack has been performed by the Revil hacking group 

About Threat of the Week 

Threat of the Week is a weekly video series on trending cyber threats and attacks. Our panel of cyber threat experts bring you the latest and most relevant updates from the ever-changing threat landscape for businesses, in a short and crisp format. 

Each edition of the series will feature, 

  • A quick analysis of a notable threat and attack of the week 
  • Expert advice on keeping yourself protected 
Subscribe Now



Amanjot Kaur

About the Author

Amanjot Kaur

Subscribe To Our Newsletter!

The best source of information for Security, Networks, Cloud, and ITOps best practices. Join us.

Thank you for subscribing!

Related Post

Side view of a man wearing hoodie with binary numbers code shone on his face
Jan 08 2021

CVE-2020-29583 – Do You KNOW This Vulnerability?

According to the researchers, around 100,000 Zyxel...

Read More