VMware has revealed a critical bug that can be exploited to achieve unauthenticated remote code execution in the very core of a virtualised system – vCenter Server.
The culprit is the vSphere HTML5 client, which by default includes the Virtual SAN Health plugin – even if you don’t run a VMware VSAN. That plugin lacks input validation and the result, as explained by VMware’s advisory this week, is: “A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.”
As vCenter is the tool with which VMware users drive their fleets of virtual machines, the bug is rated a 9.8 out of 10 in severity.
VMware urges instant patching. In a vmware reveals critical vcenter needs considered
