Security Experts:

Connect with us

Hi, what are you looking for?



Exploitation of Critical Vulnerability in End-of-Life VMware Product Ongoing

Wallarm Detect warns of ongoing exploitation of a critical vulnerability in VMware Cloud Foundation and NSX Data Center for vSphere (NSX-V).

Application vulnerability detection firm Wallarm Detect warns of ongoing exploitation of a critical flaw in VMware Cloud Foundation and NSX Data Center for vSphere (NSX-V).

Tracked as CVE-2021-39144 (CVSS score of 9.8), the issue was disclosed in October 2022, when VMware announced patches for it, although the affected product had reached end-of-life (EOL) status in January 2022.

“Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of ‘root’ on the appliance,” VMware said at the time.

The security defect was identified in the XStream open source library that supports the serialization of objects to XML and back. The vulnerability impacts XStream version 1.4.17 and older.

VMware announced patches for this vulnerability on October 25. Two days later, the company updated its advisory to warn that proof-of-concept (PoC) code targeting the vulnerability had been released.

The issue was addressed along with CVE-2022-31678, a medium-severity XML External Entity (XXE) flaw that could allow an unauthenticated attacker to cause a denial-of-service (DoS) condition.

On Monday, Wallarm Detect revealed that, since December 2022, it has been observing ongoing exploitation of these vulnerabilities in the VMware NSX Manager network virtualization and security solution.

“Active exploitation started on 2022-Dec-08 and keeps going. Attackers are scanning from well-known data centers like Linode and Digital Ocean – over 90% of the attacks are coming from their IP addresses,” the security firm says.

Wallarm Detect says it observed a peak in exploitation attempts in late December, at over 4,600 attacks per day, but that the number decreased in late January, to an average of 500 attacks per day.

“If successfully exploited, the impact of these vulnerabilities could be catastrophic, allowing attackers to execute arbitrary code, steal data, and/or take control of the network infrastructure,” the company notes.

It is also worth noting that Wallarm Detect is assessing the severity of these two vulnerabilities differently than VMware. In NSX Manager, the firm says, CVE-2022-31678 has a CVSS score of 9.1, which makes it critical, while CVE-2021-39144 has a CVSS score of 8.5, making it ‘high severity’.

Related: VMware Plugs Critical Carbon Black App Control Flaw

Related: VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability

Related: High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet