Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Exploitation of Critical Vulnerability in End-of-Life VMware Product Ongoing

Wallarm Detect warns of ongoing exploitation of a critical vulnerability in VMware Cloud Foundation and NSX Data Center for vSphere (NSX-V).

Application vulnerability detection firm Wallarm Detect warns of ongoing exploitation of a critical flaw in VMware Cloud Foundation and NSX Data Center for vSphere (NSX-V).

Tracked as CVE-2021-39144 (CVSS score of 9.8), the issue was disclosed in October 2022, when VMware announced patches for it, although the affected product had reached end-of-life (EOL) status in January 2022.

“Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of ‘root’ on the appliance,” VMware said at the time.

The security defect was identified in the XStream open source library that supports the serialization of objects to XML and back. The vulnerability impacts XStream version 1.4.17 and older.

VMware announced patches for this vulnerability on October 25. Two days later, the company updated its advisory to warn that proof-of-concept (PoC) code targeting the vulnerability had been released.

The issue was addressed along with CVE-2022-31678, a medium-severity XML External Entity (XXE) flaw that could allow an unauthenticated attacker to cause a denial-of-service (DoS) condition.

On Monday, Wallarm Detect revealed that, since December 2022, it has been observing ongoing exploitation of these vulnerabilities in the VMware NSX Manager network virtualization and security solution.

“Active exploitation started on 2022-Dec-08 and keeps going. Attackers are scanning from well-known data centers like Linode and Digital Ocean – over 90% of the attacks are coming from their IP addresses,” the security firm says.

Advertisement. Scroll to continue reading.

Wallarm Detect says it observed a peak in exploitation attempts in late December, at over 4,600 attacks per day, but that the number decreased in late January, to an average of 500 attacks per day.

“If successfully exploited, the impact of these vulnerabilities could be catastrophic, allowing attackers to execute arbitrary code, steal data, and/or take control of the network infrastructure,” the company notes.

It is also worth noting that Wallarm Detect is assessing the severity of these two vulnerabilities differently than VMware. In NSX Manager, the firm says, CVE-2022-31678 has a CVSS score of 9.1, which makes it critical, while CVE-2021-39144 has a CVSS score of 8.5, making it ‘high severity’.

Related: VMware Plugs Critical Carbon Black App Control Flaw

Related: VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability

Related: High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.