GreyNoise Tag Round Up | May 24 - June 4

New Tags

CVE-2021-21985

Tag: Vmware vSphere Client RCE Attempt [Intention: Malicious]

• This IP address has been observed sending requests that exploit CVE-2021-21985, a remote code execution vulnerability in VMware Sphere Client.
• Sources: VMware, NIST, AttackerKB, @alt3kx (GitHub PoC)
• See it on GreyNoise Viz

Tag: VMware vSphere Client RCE Vuln Check [Intention: Unknown]

• This IP has been observed checking for the existence of CVE-2021-21985, a remote code execution vulnerability in VMware Sphere Client.
• Sources: VMware, NIST, AttackerKB, @wvu (Twitter)
• See it on GreyNoise Viz

CVE-2021-28799

Tag: VMware ESXi OpenSLP RCE Attempt [Intention: Malicious]

• This IP address has been observed attempting to exploit CVE-2021-21974, a heap overflow vulnerability in VMware ESXi OpenSLP that can lead to remote code execution.
• Source: VMware, Zero Day Initiative, @straight_blast (Medium, GitHub PoC)
• See it on GreyNoise Viz

Tag Improvements

As part of our process, our research team continues to clean up and improve on existing tags as new information or better processes are introduced.

Tag: Elasticsearch RCE Attempt [Intention: Malicious]

• This IP address has been observed sending requests that exploit CVE-2015-1427, an Elasticsearch code injection vulnerability.
• Sources: NIST, PoC Blog, GitHub
• See it on GreyNoise Viz

Recent Actor Tag

• Cyber Casa [Intention: Benign]‍
• Sources: CyberCasa‍
• See it on GreyNoise Viz

Removed Tags

These tags have been removed because they no longer exist, scan, and/or can no longer be accurately identified

• Swedish Defense Research Agency (FOI)
• Elasticsearch Worm