Pentera, the leader in Automated Security Validation (ASV), today announced its Pentera Labs team discovered two zero-day vulnerabilities. If exploited by threat actors, the critical attack path may result in the ability to disable, disrupt and destroy VMware vCenter managed environments in over 500,000 organizations globally.
The vulnerabilities were reported to VMware by Senior Security Researcher Yuval Lazar and released under CVE-2022-22948 and CVE-2021-22015 with a patch. Pentera Labs’ technical review of the vulnerabilities can be found here. Discovered vulnerabilities require immediate patching to prevent malicious actors from achieving remote access to vCenter and inflicting widespread damage on organizations.
Installed in thousands of organizations worldwide and managing some of their most critical asset and core systems, VMware vCenter Servers are a high-priority target for cybercriminals. Once compromised, the ease and convenience that vCenter offers for managing virtualized hosts in enterprise environments will play into the adversary’s hands, providing centralized access and widespread Impact.
“As part of our daily work, we research the entire enterprise IT attack surfaces, including the exploitability of virtual workload environments such as vCenter and ESXi and discovered zero-day vulnerabilities,” said Alex Spivakovsky, VP of Research at Pentera. “We’re glad to have discovered and immediately disclosed these vulnerabilities to strengthen the defender community and have not seen evidence that malicious actors exploited it at this time.”
Pentera’s interest in VMWare’s vCenter started because of previously reported vulnerabilities, increasing demand from customers and threats observed in the wild, most notably recent reports of a python ransomware strain targeting ESXi. The team will continue to identify potential vulnerabilities within the platform that could affect businesses globally.
Security readiness is not determined by a single vulnerability or the security team’s ability to discover and patch it. Our award-winning security validation platform autonomously emulates the entire cyberattack kill chain and provides peace of mind for security leaders facing a multitude of internal and external attacks.”
Pentera co-founder and CTO, Dr. Arik Liberzon
Pentera is the category leader for Automated Security Validation, allowing every organization to easily test the integrity of all cybersecurity layers, unfolding accurate, current security exposures at any moment, at any scale. Thousands of security professionals and service providers worldwide use Pentera to guide remediation and close security gaps before they are exploited.