A critical vulnerability in vCenter Server could allow an unauthenticated attacker to execute arbitrary code on the server that hosts vCenter and so take over the system.
vCenter Server is used by IT Admins to manage VMware installations and the virtual machines that run in the VMware environment. The vulnerability (CVE-2021-21972) in a plug-in used by the vSphere Client is present in all default installations and has a CVSS rating of Critical (9.8).
According the security advisory from VMware:
A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
Since this vulnerability can be exploited without the need for any credentials, VMWare is advising customers to install the patch as soon as possible or follow workaround instructions to disable the vulnerable module as an interim step.
The vulnerability affects vCenter versions 6.5, 6.7 and 7.0.
