A huge collection of 3400+ free website templates JAR theme com WP themes and more at the biggest community-driven free web design site
Home / security-advisories / VMware Remote Code Execution and Authentication Vulnerability (CVE-2021-21985, CVE-2021-21986)

VMware Remote Code Execution and Authentication Vulnerability (CVE-2021-21985, CVE-2021-21986)

Advisory No: TZCERT/SA/2021/05/27

Date of First Release: 27th May 2021

Source: VMware 

Software Affected: 

  • VMware vCenter Server (vCenter Server)
  • VMware Cloud Foundation (Cloud Foundation)


Multiple vulnerabilities exist in vSphere Client (HTML5) that could cause remote code execution (CVE-2021-21985) and perform actions allowed by Virtual SAN Health Check plug-in without authentication (CVE-2021-21986).


The vSphere Client (HTML5) contains a remote code execution (CVE-2021-21985) vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in enabled in the vCenter server by default.

Similarly, the client contains another authentication vulnerability (CVE-2021-21986) for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins that could allow an attacker to bypass authentication and perform actions supported by the plug-ins.


Successful exploitation of these vulnerabilities could lead to remote code execution and authentication bypass on the affected system.


VMware has issued both security updates to address the affected products. Users and administrators are advised to apply necessary updates (Vcenter server (7.0 U2b, 6.7 U3n, 6.5 U3p), Cloud Foundation ( 4.2.1 and .10.2.1)) on affected products.


  1. https://kb.vmware.com/s/article/83829
  2. https://www.vmware.com/security/advisories/VMSA-2021-0010.html

Check Also

Remote Code Execution Vulnerabilities in SolarWinds Access Rights Manager (ARM) (CVE-2024-23469, CVE-2024-23467, CVE-2024-23471)

Advisory No: TZCERT/SA/2024/07/19-3 Date of First Release: 19th July 2024 Source: SolarWinds Software Affected: SolarWinds …