VMware vCenter Server File Upload CVE-2021-22005
Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server.
Sigma rule (View on GitHub)
1title: VMware vCenter Server File Upload CVE-2021-22005
2id: b014ea07-8ea0-4859-b517-50a4e5b7ecec
3status: test
4description: Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server.
5references:
6 - https://kb.vmware.com/s/article/85717
7 - https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server
8author: Sittikorn S
9date: 2021/09/24
10modified: 2023/01/02
11tags:
12 - attack.initial_access
13 - attack.t1190
14 - cve.2021.22005
15 - detection.emerging_threats
16logsource:
17 category: webserver
18detection:
19 selection:
20 cs-method: 'POST'
21 cs-uri-query|contains: '/analytics/telemetry/ph/api/hyper/send?'
22 condition: selection
23falsepositives:
24 - Vulnerability Scanning
25level: high
References
-
Resolution for CVE-2021-22005 is documented in VMSA-2021-0020. Workaround: To implement the workaround for CVE-2021-22005 on Linux-based virtual appliances (vCSA) perform the following steps: 6.7 ...
Read More -
VMware published an advisory addressing 19 vulnerabilities, including one critical flaw in vCenter Server that is reportedly simple to exploit. Background On September 21, VMware published a security advisory addressing 19 vulnerabilities in vCenter Server, its centralized management software for VMware vSphere systems. The full list of vulnerabilities patched includes:
Read More
Related rules
- CVE-2010-5278 Exploitation Attempt
- CVE-2020-0688 Exchange Exploitation via Web Log
- CVE-2020-0688 Exploitation Attempt
- CVE-2020-10148 SolarWinds Orion API Auth Bypass
- CVE-2020-5902 F5 BIG-IP Exploitation Attempt