Action Recommended: VMware vCenter Server – Actors Attempting to Exploit Unpatched Software

General guidance statement: Due to on-going compromises being observed across multiple activity campaigns (e.g. SolarWinds, Microsoft Exchange, Fortinet FortiOS, Ivanti Pulse Connect Secure (PCS) SSL VPN) and exploitation of unpatched vulnerabilities (e.g., VMware, Microsoft Exchange) in recent months, asset owners are encouraged to review and address all vulnerability notifications and updates related to products in use within their environment in a timely fashion. Furthermore, in an effort to help utilities prioritize vulnerability management, WaterISAC assesses critical threats and vulnerabilities through available information and intelligence and advises members accordingly when it feels priority action is warranted – this notification/advisory is one of those times.

VMware vCenter Server – Actors Attempting to Exploit Unpatched Software

On Friday, June 4, 2021, CISA posted a current activity report noting awareness of the likelihood that cyber threat actors are attempting to exploit a recently disclosed vulnerability in VMware vCenter Server and VMware Cloud Foundation. The vulnerability, CVE-2021-21985 enables remote code execution of unpatched systems and VMware made a patch available on May 25, 2021.

Organizations are encouraged to patch as soon as practical, as mass scanning has been observed for this vulnerability. If an organization cannot immediately apply the updates, VMWare has provided information on workarounds in the interim. Access the notification at CISA.

Next Steps
WaterISAC will continue to share information with members and partners as more is learned about this threat/campaign. Likewise, members are encouraged to share information with WaterISAC by emailing an*****@*******ac.org, calling 866-H20-ISAC, or using the online incident reporting form. 

– The WaterISAC Team