CISA has added a critical-severity vulnerability in VMware’s Cloud Foundation to its catalog of exploited-in-the-wild vulnerabilities.
The flaw (tracked as CVE-2021-39144) was found in the open-source XStream library used by vulnerable VMware products and was assigned a near-maximum severity score of 9.8/10 by VMware.
Unauthenticated hackers can exploit the bug in low-complexity attacks that will not require user interaction to execute arbitrary code remotely with root privileges on unpatched appliances.
“Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can obtain remote code execution in the context of ‘root’ on the ‘appliance’, VMware explain.
vmware released security updates to patch CVE-2021-39144 reported by Sina Kheirkhah of MDSec and Steven Seeley of Source Incite on October 25. Due to the severity of the issue, VMware has also released fixes for some end-of-life products.
On the day the CVE-2021-39144 patches were released, Kheirkhah also posted a blog post with technical details and proof-of-concept (PoC) exploit code.
Actively operated since early December
CISA’s decision to include the CVE-2021-39144 vulnerability in its Catalog of Known Exploited Vulnerabilities (KEV) follows VMware’s confirmation that the bug is being exploited in the wild.
“Advisory updated with information that VMware has received reports of in-the-wild activity involving CVE-2021-39144,” the company said. said in a Thursday update of the original advisory.
This came after cybersecurity firm Wallarm revealed on Monday that exploitation of CVE-2021-39144 began just weeks after security updates were released and has been ongoing since at least early December 2022.
“The Wallarm Detect team researches and analyzes dozens of vulnerabilities every day, and this one is particularly interesting because it has been exploited over 40,000 times in the past 2 months. Active exploitation began on 2022-Dec -08 and continues”, Wallarm said.
“If successfully exploited, the impact of these vulnerabilities could be catastrophic, allowing attackers to execute arbitrary code, steal data, and/or take control of network infrastructure.”
With the addition of the flaw to the KEV catalog, CISA ordered US federal agencies to secure their systems against attacks within three weeks, until March 31, to thwart attacks that could target their networks.
Although the month of November 2021 Binding Operational Directive (BOD 22-01) Behind the CISA order only applies to US federal agencies, the cybersecurity agency has also urged all organizations to fix this bug to protect their servers from ongoing attacks.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said.