CISA has added a critical severity vulnerability in VMware’s Cloud Foundation to its catalog of exploited security flaws in the wild.
The flaw (logged as CVE-2021-39144) was found in the open source XStream library used by the vulnerable VMware products and was assigned a near-maximum severity score of 9.8/10 by VMware.
Unauthenticated threat actors can exploit the bug in low complexity attacks that will not require user interaction to remotely execute arbitrary code with root privileges on unpatched devices.
“Due to an unauthenticated endpoint leveraging XStream for input serialization on VMware Cloud Foundation (NSX-V), a malicious actor can gain remote code execution in the ‘root’ context on the device,” VMware explains. .
VMware released security updates to address the CVE-2021-39144 flaw reported by MDSec’s Sina Kheirkhah and Source Incite’s Steven Seeley on October 25. Due to the severity of the issue, VMware has also issued patches for some end-of-life products.
On the day the CVE-2021-39144 patches were released, Kheirkhah also published a blog post with technical details and proof-of-concept (PoC) exploit code.
Actively mined since early December
CISA’s decision to list the CVE-2021-39144 vulnerability in its Known Exploited Vulnerability (KEV) catalog follows VMware’s confirmation that the bug is being exploited in the wild.
“Advisory updated with information that VMware has received reports of exploitative activity in the wild involving CVE-2021-39144,” the company said in a Thursday update to the original advisory.
This came after cybersecurity firm Wallarm revealed on Monday that exploitation of CVE-2021-39144 began just weeks after the security updates were released and has been ongoing since at least early December 2022.
“The Wallarm Detect team searches and analyzes dozens of vulnerabilities every day, and this one is particularly interesting because it was exploited more than 40,000 times in the last 2 months. Active exploitation began on December 8, 2022 and continues,” Wallarm said. .
“If exploited successfully, the impact of these vulnerabilities could be catastrophic, allowing attackers to execute arbitrary code, steal data, and/or take control of network infrastructure.”
With the addition of the flaw to the KEV catalog, CISA directed US federal agencies to protect their systems against attacks within three weeks, until March 31, to thwart attacks that could target their networks.
Although the November 2021 binding operational directive (BOD 22-01) behind the CISA order only applies to US federal agencies, the cybersecurity agency has also strongly urged all organizations to correct this error to protect your servers from ongoing attacks.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said.