He pointed out that many threat actors use dictionaries, which include the default credentials shipped with products, to guess passwords or usernames, and it doesn’t help that many organizations forget to change them. IT leaders who mandate changing default credentials increasethe time it takes for a threat actor to guess the login ID portion of a credential pair. These bugs, on the other hand, make the attacker’s job easier.
“Using these [VMware] vulnerabilities, without any special access, threat actors are able to enumerate the active accounts on systems, which essentially gives them about 50% into guessing the credential pair (login/password),” he said. “This is a high risk condition, and administrators should patch immediately and ensure they are not using default account logins.”
Robert Beggs, head of Canadian incident response firm DigitalDefence, said the SMTP attack vulnerability seems “somewhat limited in spite of the high severity level. It requires malicious action on the part of a legitimate user who does not yet have admin-level access.”