A critical vulnerability has been reported to exist in vCenter Server, the central management system of any VMware infrastructure, as well as in VMware Cloud Foundation. It affects versions 6.5, 6.7 and 7.0, which are currently being supported by the manufacturer.

VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

“A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server,” says VMware in its Advisory.

The vulnerability exists in the vSphere Client (HTML5) in combination with certain extensions to the VMware environment. The following extensions are currently known to be affected:

  • Virtual SAN Health Check plug-in
  • vSAN Health Check
  • Site Recovery
  • vSphere Lifecycle Manager
  • VMware Cloud Director Availability

For customers that are unable to install the required patches at short notice, VMware recommends to temporarily disable the affected plug-ins.

Should you have any questions about the vulnerability or require support in patching your system, please do not hesitate to contact your Bechtle account manager or get in touch with our VMware experts.