VMware has officially confirmed that the critical vCenter Server vulnerability, CVE-2023-34048, has been exploited in the wild. The vCenter Server is a vital management platform used in VMware's vSphere environments, facilitating the management of ESX and ESXi servers as well as VMs.
The vulnerability was initially reported by Trend Micro vulnerability researcher Grigory Dorodnov and is a result of an out-of-bounds write weakness in vCenter's DCE/RPC protocol implementation. This vulnerability can be exploited remotely in low-complexity attacks that have high confidentiality, integrity, and availability impact, and do not require authentication or user interaction.
Due to the critical nature of the vulnerability, VMware has issued security patches for several end-of-life products that are no longer actively supported. It has been observed that network access brokers often take control of VMware servers and sell them on cybercrime forums to ransomware groups. These groups, including Royal, Black Basta, LockBit, RTM Locker, Qilin, ESXiArgs, Monti, and Akira, are known for directly targeting victims' VMware ESXi servers to steal and encrypt their files and demand hefty ransoms.
According to data from Shodan, over 2,000 VMware Center servers are currently exposed online, potentially making them vulnerable to attacks and putting corporate networks at risk due to their vSphere management role. VMware has urged administrators who are unable to patch their servers to strictly control network perimeter access to vSphere management components. The company has warned, "VMware strongly recommends strict network perimeter access control to all management components and interfaces in vSphere and related components, such as storage and network components, as part of an overall effective security posture." The specific network ports associated with potential exploitation in attacks targeting this vulnerability are 2012/tcp, 2014/tcp, and 2020/tcp.
Earlier in June, VMware also patched several high-severity vCenter Server security flaws that posed code execution and authentication bypass risks to vulnerable servers. The company also fixed an ESXi zero-day used by Chinese state hackers in data theft attacks and alerted customers of another actively exploited critical flaw in Aria Operations for Networks. Since the beginning of the year, IT administrators and security teams have had to address warnings of multiple security vulnerabilities under active exploitation, including zero-days affecting Ivanti Connect Secure, Ivanti EPMM, and Citrix Netscaler servers.