VMware Cloud Foundation Remote Code Execution (Operation Dream Job)
Summary
A critical file upload vulnerability in VMware vCenter Server that was exploited by North Korean threat actors in Operation Dream Job.
Description
VMware vCenter Server contains a critical file upload vulnerability that allows an attacker with network access to upload a file to the vCenter Server analytics service and execute code with elevated privileges. This vulnerability has been actively exploited in the wild by North Korean threat actors as part of Operation Dream Job campaign.
The vulnerability affects the Analytics service in vCenter Server and can be exploited without authentication. By uploading a specially crafted file, an attacker can achieve remote code execution on the vCenter Server.
Google's Threat Analysis Group (TAG) has reported that North Korean government-backed attackers exploited this vulnerability to target organizations in the defense and aerospace sectors as part of Operation Dream Job, a social engineering campaign that offers targets fake job opportunities.
Affected Products
- vCenter Server 7.0 before 7.0 U2c
- vCenter Server 6.7 before 6.7 U3o
- vCenter Server 6.5 before 6.5 U3p
- Cloud Foundation 4.x before 4.2.1
CVSS Score
About the Author
Google Threat Analysis Group
Security Research Team
Google's Threat Analysis Group (TAG) tracks threat actors and provides actionable intelligence to protect users.