Wednesday, May 14, 2025
HomeCyber Security NewsHackers Targeting Log4j Flaws in VMware Horizon - NHS

Hackers Targeting Log4j Flaws in VMware Horizon – NHS

Published on

SIEM as a Service

Follow Us on Google News

In VMware Horizon servers to establish web shells, the threat actors are actively targeting and exploiting the Log4Shell vulnerabilities. 

The UK’s National Health Service (NHS) has warned about a Log4Shell exploit that is actively targeting the vulnerability that is tracked as “CVE-2021-44228,” it’s a critical arbitrary remote code execution flaw in the Apache Log4j 2.14.

Since December 2021 this vulnerability has been under active and high-volume exploitation by the threat actors.

- Advertisement - Google News

While here, the affected product is VMware Horizon, and the version that was affected by this critical vulnerability is the:-

  • Horizons Connection Server (64bit) 2006-2111, 7.13.0-7.13.1, 7.10.0-7.10.3

In VMware Horizon, Apache Tomcat is Targeted

On vulnerable VMware Horizon deployments that were made on the public infrastructure, the threat actors are actively leveraged the exploit simply to gain remote code execution (RCE). 

Here’s what the non-departmental public body stated in an alert:-

“The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to call back to malicious infrastructure.”

“Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service.”

In short, with the help of web shell, the threat actors can perform several malicious tasks like:-

  • Deployment of additional malicious software.
  • Data exfiltration.
  • Deployment of ransomware.

Here, the presence of the Apache Tomcat service in VMware Horizon gives efficient advantages to the threat actors, since this service is also vulnerable to Log4Shell.

To perform all these things, with the command and control (C2) server the threat actors establish persistent and stable communication, as it’s one of the key factors.

Flaw Profile

  • CVE ID: CVE-2021-44228
  • Threat ID: CC-4002
  • Threat Severity: Critical
  • CVSS score: 10.0
  • Threat Vector: Exploit
  • Published: 5 January 2022 3:30 PM

Security Advice

Things that are recommended by the experts to look after:-

  • Evidence of ws_TomcatService.exe spawning abnormal processes.
  • Any powershell.exe processes containing ‘VMBlastSG’ in the commandline.
  • File modifications to ‘…\VMware\VMware View\Server\appblastgateway\lib\absg-worker.js’ (This file is generally overwritten during upgrades, and not modified.)

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Windows Ancillary for WinSock 0-Day Vulnerability Actively Exploited to Gain Admin Access

Microsoft has confirmed active exploitation of a critical privilege escalation vulnerability in the Windows...

Earth Ammit Hackers Deploy New Tools to Target Military Drones

The threat actor group known as Earth Ammit, believed to be associated with Chinese-speaking...

New Microsoft Scripting Engine Vulnerability Exposes Systems to Remote Code Attacks

Critical zero-day vulnerability in Microsoft’s Scripting Engine (CVE-2025-30397) has been confirmed to enable remote...

Critical Microsoft Office Vulnerabilities Enable Malicious Code Execution

Microsoft has addressed three critical security flaws in its Office suite, including two vulnerabilities...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Windows Ancillary for WinSock 0-Day Vulnerability Actively Exploited to Gain Admin Access

Microsoft has confirmed active exploitation of a critical privilege escalation vulnerability in the Windows...

Earth Ammit Hackers Deploy New Tools to Target Military Drones

The threat actor group known as Earth Ammit, believed to be associated with Chinese-speaking...

New Microsoft Scripting Engine Vulnerability Exposes Systems to Remote Code Attacks

Critical zero-day vulnerability in Microsoft’s Scripting Engine (CVE-2025-30397) has been confirmed to enable remote...