Latest data breach and vulnerability – VMWARE ESXi CVE-2021-21974  vulnerability exploited by ransomware cripples Italy’s national critical infrastructure

CVE-2021-21974 Vmware Ransomware italy attack

CVE-2021-21974 Vmware Ransomware italy attack
CVE-2021-21974 vulnerability on Vmware leverage for Ransomware

Previous Issues of vulnerability Weekly

Italian Cybersecurity agency warns hacker exploiting two years old vulnerability at scale 

On February 4th Italian agency, together with the Computer Emergency Response team from France have warned of a campaign to attack Vmware servers systematically

“These attack campaigns appear to exploit CVE-2021-21974 the Computer Emergency Response Team (CERT) of France said in an advisory on Friday.

The related VMware Esxi advisory

A patch for those vulnerabilities has been available since February 23, 2021.

CERT-FR strongly recommends applying the patch as soon as possible but adds that systems left unpatched should also be scanned to look for signs of compromise.

CVE-2021-21974 affects the following systems:

  • ESXi versions 7.x prior to ESXi70U1c-17325551
  • ESXi versions 6.7.x prior to ESXi670-202102401-SG
  • ESXi versions 6.5.x prior to ESXi650-202102101-SG

Currently, there are 191,129 systems exposed on the web

CVE-2021-21974 vulnerability on Vmware Shodan
CVE-2021-21974 vulnerability on Vmware Shodan

Criticality Analysis

The system attacked in the recent ransomware attack were even more vulnerable as some of them were directly exposed over the web or with a secondary connection to the web system.

How old was the vulnerability? old… almost 2 years CVE-2021-21974 

Curently, EPSS gives this at 0.12 % of exploitability. 


The current scoring for those vulnerabilities is: CVSS 8.8. Currently could be overshadowed by other critical vulnerabilities that are not that critical.

Even with a low EPSS score but the external and critical system, the vulnerability should overshadow a CVSS 9/10 with low criticality and not facing externally. 

As an added value, this falls under the 95% percentile of the scored EPSS data.

Is just exploitability a driving factor? Those systems were critical and externally exposed, making them low-hanging fruit for remediation…, but they were not remediated. 

Using a quick, simplified calculation is clear to see that even a system with a low EPSS exploitability score but a high percentile could get overshadowed by other internal systems with higher CVSS. 

In this case, though, the Phoenix Vulnerability risk scoring would have bumped up the risk level of the CVSS 8.8 for crucial systems like VMware hosts/hosts and external or DMZ-facing systems. 

CVE-2021-21974 vulnerability on Vmware Risk Score
CVE-2021-21974 vulnerability on Vmware Risk Score

Vmware Ransom

In its alert released then, VMware described the issue as an OpenSLP heap-overflow vulnerability that could lead to the execution of arbitrary code. “A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution,” the virtualisation services provider noted.

“Notably, the group behind the Nevada Ransomware is also buying compromised access by themselves, the group has a dedicated team for post-exploitation and for conducting network intrusions into the targets of interest.”

Ransomware note from Hacker News

However, Bleeping Computer reports that the ransom notes seen in the attacks bear no similarities to Nevada ransomware, adding the strain is being tracked under the name ESXiArgs.

When the server is breached, the following files are stored in the /tmp folder:

  • encrypt – The encryptor ELF executable.
  • – A shell script that acts as the logic for the attack, performing various tasks before executing the encryptor, as described below.
  • public.pem – A public RSA key used to encrypt the key that encrypts a file.
  • motd – The ransom note in text form that will be copied to /etc/motd so it is shown on login. The server’s original file will be copied to /etc/motd1.
  • index.html – The ransom note in HTML form that will replace VMware ESXi’s home page. The server’s original file will be copied to index1.html in the same folder.

For more info refer to Ransomware article on bleeping computer:

Contact Us for an Assessment

Previous Issues of vulnerability Weekly

Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

risk based vulnerability management how to leverage Cyber threat intelligence, contextual based information to prioritize vulnerabilities across application security and cloud security
Francesco Cipollone

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

x Logo: ShieldPRO
This Site Is Protected By