CVE-2021-21974

CVE-2021-21974 is a heap-overflow vulnerability discovered in VMware's ESXi OpenSLP service. This flaw allows attackers to execute arbitrary code and take control of the affected system, posing a significant threat to organizations that utilize VMware's ESXi for their virtual infrastructure management. The vulnerability was exploited during a global ransomware attack on ESXi servers, which utilized this vulnerability along with another from 2020 (CVE-2020-3992) to deploy a novel ransomware strain named ESXiArgs. The attack was first flagged by the French Computer Emergency Response Team (CERT-FR) on February 3rd and has since compromised over 3,200 servers in countries including Canada, France, Finland, Germany, and the US. The primary method of compromise was an exploit for the two-year-old remote code execution (RCE) security vulnerability (CVE-2021-21974), affecting the hypervisor's Open Service Location Protocol (OpenSLP) service. The ESXiArgs ransomware variant was spotted exploiting this patched vulnerability, demonstrating the importance of keeping systems up-to-date. Despite the patch for the CVE-2021-21974 vulnerability being available for two years, its exploitation reveals the continuous challenges faced by organizations in maintaining secure IT environments. Several agencies, including the US Cybersecurity and Infrastructure Security Agency (CISA) and France’s CERT-FR, have confirmed that the ESXiArgs ransomware campaign exploited this 2021 vulnerability. Given the popularity and wide use of VMware products, it is recommended that customers upgrade to the latest supported releases of vSphere components to address known vulnerabilities.