Active exploitation of VMware vcenter servers has been detected targeting unpatched VMware vcenter servers. Different ips have been found. The vulnerability affects machines running vCenter Server versions 6.7, and 7.0 VMware urges administrators to act immediately under the assumption that an adversary is already on the network, ready to take advantage.
VMware vCenter Server and Cloud Foundation could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions by the Analytics service. A remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system.
Refer to vendor advisory for the complete list of affected products and their respective patches.