Cybersecurity firm Wiz has published research which shows that at least 12 per cent of servers running VMware ESXi hypervisor are unpatched against a two-year-old vulnerability that is now being exploited in a widespread ransomware attack.
[Related: Patching Urged For ‘Critical’ VMware vRealize Vulnerabilities]
“Attacks utilising this vulnerability to install ransomware have been discovered worldwide, though mostly in Europe,” Wiz said.
The US and Canada continue to rank second and fourth, respectively, in terms of countries hardest hit by the ESXiArgs ransomware campaign, with hundreds of servers compromised by the ransomware criminals.
Targets are “primarily” VMware ESXi servers that run versions of the hypervisor prior to 7.0 U3i, “which are accessible through the OpenSLP port 427.”
First disclosed in 2021 and tracked at CVE-2021-21974, the vulnerability specifically affects the OpenSLP service in older versions of ESXi, and can be exploited to enable remote execution of code.
VMware noted that there’s a correlation between the cyberattacks and servers that are either at end-of-support or “significantly out-of-date.”
The OpenSLP service was disabled in ESXi in 2021 starting with ESXi 7.0 U2c and ESXi 8.0 GA, VMware said.
The company said Monday that it’s “advising customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities,” and that it also continues to recommend that customers disable the OpenSLP service in ESXi.
“VMware has not found evidence that suggests an unknown vulnerability (0-day) is being used to propagate the ransomware used in these recent attacks,” the company said.