A two-year old vulnerability CVE-2021-21974 was exploited on unpatched VMware ESXi servers.
CVE Mitre described it as follows: “A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution”.
Relying on unpatched software for OVER 2 YEARS when the relevant fix is easily available sounds incredible, yet these things happen all the time. To make this scenario even worse, several days well into this widely reported ransomware attack, Rapid 7 estimated close to 19,000 vulnerable servers that still remain vulnerable.
Luckily, a recovery guide for VMware ESXi has been published by security researchers Enes Sonmez & Ahmet Aykac from YoreGroup Tech Team. It can be accessed here.
Separately, CISA released their own recovery script on their GitHub page.
Currently there are over 2,000 online, compromised VMware servers out there, with nearly half of them located in Germany and France. Majority of those belong to OVH SAS.