CISA warns of critical VMware RCE flaw exploited in attacks

CISA has added a critical severity vulnerability in VMware's Cloud Foundation to its catalog of security flaws exploited in the wild.

The flaw (tracked as CVE-2021-39144) was found in the XStream open-source library used by vulnerable VMware products and has been assigned an almost maximum severity score of 9.8/10 by VMware.

Unauthenticated threat actors can exploit the bug in low-complexity attacks that will not need user interaction to execute arbitrary code remotely with root privileges on unpatched appliances.

"Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of 'root' on the appliance," VMware explains.

VMware released security updates to address the CVE-2021-39144 flaw reported by Sina Kheirkhah of MDSec and Steven Seeley of Source Incite on October 25th. Because of the severity of the issue, VMware also issued patches for some end-of-life products.

The day CVE-2021-39144 patches were released, Kheirkhah also published a blog post with technical details and proof-of-concept (PoC) exploit code.

Actively exploited since early December

CISA's decision to include the CVE-2021-39144 vulnerability in its Known Exploited Vulnerabilities (KEV) catalog follows confirmation from VMware that the bug is being exploited in the wild.

"Updated advisory with information that VMware has received reports of exploitation activities in the wild involving CVE-2021-39144," the company said in a Thursday update to the original advisory.

This came after cybersecurity firm Wallarm revealed on Monday that CVE-2021-39144 exploitation started just a few weeks after security updates were released and has been ongoing since at least early December 2022.

"The Wallarm Detect team hunts and analyzes dozens of vulnerabilities every day, and this one is particularly interesting because it was exploited over 40,000 times over the last 2 months. Active exploitation started on 2022-Dec-08 and keeps going," Wallarm said.

"If successfully exploited, the impact of these vulnerabilities could be catastrophic, allowing attackers to execute arbitrary code, steal data, and/or take control of the network infrastructure."

​With the flaw's addition to the KEV catalog, CISA has ordered U.S. federal agencies to secure their systems against attacks within three weeks, until March 31st, to thwart attacks that might target their networks.

Although the November 2021 binding operational directive (BOD 22-01) behind CISA's order only applies to U.S. federal agencies, the cybersecurity agency has also strongly urged all organizations to patch this bug to protect their servers from ongoing attacks.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA said.