VMware vCenter Server File Upload Vulnerability (Exploited by UNC3886)
Summary
A critical file upload vulnerability in VMware vCenter Server that has been exploited by the UNC3886 threat actor to deploy backdoors.
Description
VMware vCenter Server contains a critical file upload vulnerability that allows an authenticated attacker to upload arbitrary files to the system. This vulnerability has been actively exploited in the wild by the threat actor UNC3886 (also tracked as VIRTUALPITA) to deploy backdoors and maintain persistent access to compromised environments.
The vulnerability exists in the vCenter Server update mechanism and allows an attacker with administrative access to upload malicious files that can be executed with elevated privileges. UNC3886 has exploited this vulnerability as part of a sophisticated attack chain targeting virtualization infrastructure.
Mandiant has reported that UNC3886 has used this vulnerability in conjunction with other VMware product vulnerabilities to establish persistence, deploy backdoors, and move laterally within compromised environments.
Affected Products
- vCenter Server 8.0 before 8.0 U2
- vCenter Server 7.0 before 7.0 U3p
- vCenter Server 6.7 before 6.7 U3u
CVSS Score
About the Author
Mandiant
Threat Intelligence
Mandiant, a part of Google Cloud, provides threat intelligence and incident response services to organizations worldwide.