VMware and Mandiant warn of vCenter Server flaw actively exploited by hackers

published: Jan. 19, 2024

Take action: Make sure that your vCenter network access is locked only to trusted network. Given that hackers are already attacking vCenter, patch immediately.


Learn More

VMware has issued a warning to its customers about the active exploitation of CVE-2023-34048, a severe vulnerability in the vCenter Server that was patched in October 2023. Mandiant and VMware Product Security have discovered that UNC3886, a sophisticated China-linked espionage group, exploited the CVE-2023-34048 as early as late 2021.

This vulnerability, identified as an out-of-bounds write issue in the DCERPC protocol, could enable attackers with network access to execute arbitrary code remotely on the vCenter Server.

The exploitation was identified through analysis of VMware service crash logs and the "vmdird" service's core dumps. These crashes, observed in multiple cases between late 2021 and early 2022, indicate that the attacker had access to this vulnerability for about a year and a half. Most affected environments had log entries intact, but the core dumps were removed, likely by the attackers to hide their activities.

VMware updated its security advisory, confirming that CVE-2023-34048 is being exploited in real-world attacks.

The Shadowserver Foundation's data indicates that hundreds of internet-exposed instances of VMware vCenter Server could be at risk.

VMware and Mandiant warn of vCenter Server flaw actively exploited by hackers