Critical vulnerability in VMware ESXi: Global wave of attacks presumably also shut down hundreds of German companies
by Tina Siering
A critical security vulnerability in the virtualization solution "ESXi" of the manufacturer VMware is currently being actively exploited by cyber criminals to attack so-called ESXi servers worldwide. According to media reports, hundreds of companies and institutions in Germany alone appear to be affected by the wave of attacks.
The perpetrators are exploiting a vulnerability in the application's OpenSLP service, which has been known for some time and has been patched by the manufacturer since February 2021, to execute malicious code and infiltrate a ransomware called "Nevada", which can be used to encrypt the virtual hard disks of guest systems.
The attacks are targeted against unpatched systems with versions 6.5.x, 6.7.x, 7.x. The security vulnerability CVE-2021-21974 is rated "high" according to CVSS with a severity level of 8.8. The BSI has declared the second-highest warning level (warning level 3/orange) due to a business-critical threat situation.
Recommendation for action:
We recommend that IT security managers immediately install the security update provided by the manufacturer in order to permanently close the vulnerability.
As a workaround, according to the manufacturer, it should also be possible to block attacks by disabling the SLP protocol on unpatched hypervisor systems. VMware has published instructions for this on the company website.