Advisory No: TZCERT/SA/2021/02/25
Date of First Release: 25th February 2021
- VMware vCenter Server version 6.5, 6.7 and 7.0
- VMware ESXi version 6.5, 6.7 and 7.0
- VMware Cloud Foundation (vCenter Server) version 3.x and 4.x
- VMware Cloud Foundation (ESXi) version 3.x and 4.x
The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin that could allow unauthenticated, remote attacker to execute arbitrary code remotely.
The vulnerability allows unauthorized clients to execute arbitrary commands and send requests on behalf of the targeted server via unauthorized file uploading that lead a remote code execution and unauthorized server-side request forgery (SSRF).
Successful exploitation of the vulnerability could allow an unprivileged user to gain access to the system.
VMware has issued both workaround and security update to address the affected products. Users and administrators are advised to apply necessary updates or perform the published workarounds as temporary solution when necessary.