VMware Vulnerability Allows Attackers To Take Over Virtual Machines With ISO Attached

Jan 25, 2022 by Taylor Krieg

At the beginning of this month, VMware released an advisory (VMSA-2022-0001) about a heap-overflow vulnerability in the CD-ROM device emulator (CVE-2021-22045).

This exploit will allow an attacker to execute code in the hypervisor from a virtual machine that has a connected CD image. This means the attacker could then take over all of the virtual machines running on that same ESXi host.

What Does This Vulnerability Effect?

This vulnerability appears to affect all versions of ESXi since VMware released patches for supported versions 6.5 and 6.7.

The 7.0 patch is still pending, but all current versions of 7.x are impacted.

This is a large exploit, and it’s a common mistake leaving an ISO attached to a virtual machine, and only later realizing that the ISO was still attached when trying to do a vmotion of the virtual machine.

What Can You Do?

Until you can upgrade/patch your ESXi environment, you should disable/disconnect all CD-ROM/DVD devices on all running virtual machines.

  • This powercli can be ran to list all VMs that have a CD-ROM/DVD connected:

Get-VM | Get-CDDrive | Where {$_.extensiondata.connectable.connected -eq $true} | Select Parent

  • This powercli can be ran to remove and disconnect an attached CD-ROM/DVD device:

Get-VM | Get-CDDrive | Where {$_.extensiondata.connectable.connected -eq $true} | Set-CDDrive -NoMedia -confirm:$false


If you have any additional questions or concerns, please call 502-240-0404 or send us an email at info@mirazon.com

Press enter to search