A Chinese cyber-espionage group has been exploiting a zero-day authentication bypass flaw in VMware ESXi hosts to execute privileged commands on guest virtual machines, according to researchers. The vulnerability was discovered by Mandiant, while investigating the activities of UNC3886, a Chinese threat actor that was previously found to have been targeting VMware ESXi hosts. The bug, present in VMware Tools which is designed for enhanced management of guest operating systems, allows attackers to exploit a compromised ESXi host to transfer files to and from Windows, Linux, and vCenter guest virtual machines, without the need for guest credentials and without default logging. VMware has since released a patch for the flaw. While Mandiant found no evidence of UNC3886 utilising any zero-day vulnerability to break into the ESXi environment, they did highlight the threat actor’s ability to flexibly switch up attacker paths and tactics.
