VMware Horizon Vulnerability Advisory | January 2022

Threat actors are exploiting Apache Log4j vulnerabilities in unpatched VMware Horizon servers. Here's what you need to know.

Background

On January 19, 2022, VMware Security Solutions issued an advisory in response to attackers actively targeting VMware Horizon servers that are vulnerable to Apache Log4j CVE-2021-44228 (Log4Shell). VMware Horizon is a platform for running and delivering virtual desktops and apps across the hybrid cloud.


Quick facts: what you need to know now

  • Threat actors are leveraging the Log4j vulnerability on unpatched VMware Horizon Servers to gain full access and control of systems and install web shells.
  • After gaining access, threat actors are using Windows PowerShell to move from the VMware Horizon server to other systems in impacted environments.

Next Steps for All VMware Horizon Customers:

  1. Update VMware Horizon servers to the fixed version.
  2. If you are unsure if you are fully patched, request a free Log4j remote scan from Corvus.
  3. Check this article periodically over the next few weeks as we will keep it updated as more information becomes available.

Resources

Rapid7 Blog Post: https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/

Techzine Security News: 

https://www.techzine.eu/news/security/70840/uk-nhs-warns-of-log4j-vulnerability-in-vmware-horizon/


If you have any questions, please reach out to the Risk + Response Team at services@corvusinsurance.com!