VMware vCenter Server RCE (CVE-2024-22274): PoC Exposes Systems to Remote Takeover

A proof-of-concept (PoC) exploit has been released, targeting a recently patched high-severity vulnerability (CVE-2024-22274) in the VMware vCenter Server. With a CVSS score of 7.2, the flaw allows attackers with administrative privileges to execute arbitrary commands on the underlying operating system, potentially compromising the entire virtual infrastructure.

Security researcher Matei “Mal” Badanoiu, credited with reporting the CVE-2024-22274 vulnerability, has published a detailed proof-of-concept (PoC) exploit, increasing the urgency for organizations to patch their systems. The exploit targets the “com.vmware.appliance.recovery.backup.job.create” and “com.vmware.appliance.recovery.backup.validate” API components, which are vulnerable to a flag injection attack.

By injecting a malicious SSH flag into the “–username” field of these API calls, attackers can gain unauthorized root access to the vCenter Server appliance, allowing them to execute any command on the system. This could lead to data theft, unauthorized modifications, or even complete system takeover.

VMware has released patches to address the vulnerability in vCenter Server versions 8.0 U2b and 7.0 U3q, as well as in Cloud Foundation (vCenter Server) versions 5.1.1 and KB88287. It is crucial for organizations using these products to apply the updates immediately to mitigate the risk of exploitation.

In addition to CVE-2024-22274, Badanoiu has also detailed other vulnerabilities, CVE-2024-22275 (CVSS 4.9) and CVE-2024-37081 (CVSS 7.8), affecting vCenter Server.