December 9, 2023

VMware urges customers to patch critical Log4j  security vulnerabilities impacting Internet exposed VMware Horizon servers targeted in ongoing attacks.

Searching for Internet-exposed VMware Horizon servers with Shodan, we can find tens of thousands of installs potentially exposed to attacks.


Earlier,  Night Sky ransomware operation started exploiting the Log4Shell flaw CVE-2021-44228 in the Log4j library to gain access to VMware Horizon systems.

Threat actors started targeting VMware Horizon  systems exposed on the Internet. VMware has addressed Log4Shell in Horizon with the release of 2111, 7.13.1, 7.10.3 versions, but unfortunately many unpatched systems are still exposed online.

The security team at the UK National Health Service (NHS) also announced to have spotted threat actors exploiting the Log4Shell  vulnerability to hack VMWare Horizon servers and install web shells.

Once installed a web shell, threat actors can use it to carry out a broad range of malicious activities, such as deploying data exfiltration or deployment of ransomware.

Threat actors upon exploiting log4j flaw to deploy  custom web shells into the VM Blast Secure Gateway service to gain access to the networks of target organizations.

Multiple VMWare products, including VMware Horizon products, are impacted by remote code execution vulnerabilities via Apache Log4j (CVE-2021-44228, CVE-2021-45046).


Dutch National Cybersecurity Centre (NCSC) warned organizations to remain vigilant on possible attacks exploiting the Log4J  vulnerability. The Dutch agency, threat actors the NCSC will continue to attempt to exploit the  Log4Shell flaw in future attacks.

The virtualization giant urges customers to examine VMSA-2021-0028 and apply the guidance for Horizon. VMware published a dedicated  Guidance to VMware Horizon customers regarding Log4j.