Positive Technologies researchers have discovered two dangerous security vulnerabilities in the VMware vCenter server.

This platform is designed for centralized management and automation of VMware vSphere, a key product in modern data centers. The flaws have since been patched.

The flaws could have allowed criminals to penetrate a company’s external perimeter, Positive Technologies said. They could also gain access to sensitive data and scan a company’s internal network to get information about the open ports of various services.

Earlier this month, Positive Technologies discovered a high-severity vulnerability in the VMware vSphere Replication data replication tool.

Test Environment Detected the Vulnerabilities

Mikhail Klyuchnikov is senior web application security researcher at Positive Technologies. He said his company found the vulnerabilities when it implemented a test environment to check the product’s security.

Positive Technologies reported the vulnerabilities to VMware following responsible disclosure practices, which thanked Klyuchnikov for reporting them.

Positive Technologies’ Mikhail Klyuchnikov

“We unfortunately do not have information about if the flaws have been exploited in the wild,” Klyuchnikov said.

VMware said updates are available to remediate these vulnerabilities in its affected products.

“VMware holds up to 80% of the virtual machine market,” Klyuchnikov said. “Any companies using the VMware vCenter server to manage their vSphere installations could become possible victims. Our threat intelligence suggests there are over 6,000 VMware vCenter devices worldwide that are accessible from the internet and contain the most critical of the two vulnerabilities.”

A quarter of these devices are located in the United States, Klyuchnikov said. That’s followed by Germany, France, China, Great Britain, Canada, Russia, Taiwan, Iran and Italy.

Potential Damage

“By exploiting this flaw, a criminal could compromise a VMware hypervisor, which would allow access to critical internal infrastructure servers and business systems, such as domain controllers, Citrix servers, and servers of financial accounting systems, etc.,” he said. “It’s also possible for attackers to compromise the PCI DSS segment, opening up an opportunity to manage ATM network control servers or bank processing servers.”

Positive Technologies recommends testing software products thoroughly before every release.

“This is the only way to reduce the number of vulnerabilities that can be found in the product,” Klyuchnikov said.