CVE-2022-31680: VMware vCenter Server code execution vulnerability

Cloud computing and virtualization technology giant VMware shipped a security patch for two flaws in its vCenter Server product that could facilitate attacks against many organizations.

The vulnerability, tracked as CVE-2022-31680, is described as an unsafe deserialisation vulnerability in the PSC (Platform services controller). The flaw was reported to the virtualization giant by Marcin “Icewall” Noga of Cisco Talos.

This flaw has been assigned an “important severity” rating (CVSS score: 7.2), it can be exploited to execute arbitrary code on the underlying operating system that hosts the vCenter Server. CVE-2022-31680 affects VMware vCenter Server versions 6.5, 6.7, and 7.0.

The vulnerability, tracked as CVE-2022-31681 (CVSS score: 3.8), is a null-pointer deference vulnerability. “A malicious actor with privileges within the VMX process only may create a denial of service condition on the host,” VMware said in a notice accompanying the patch. The security researcher VictorV (Tangtianwen) of Cyber Kunlun Lab has been credited with reporting this flaw.

It’s important that vCenter Server users install the patches as soon as possible, as it’s not uncommon for malicious actors to target these types of servers. There are typically thousands of vCenter servers that are exposed to the internet, and many of them could be vulnerable to attacks.