Security News > 2021 > February > VMware fixes critical RCE bug in all default vCenter installs

VMware has addressed a critical remote code execution vulnerability in the vCenter Server virtual infrastructure management platform that may allow attackers to potentially take control of affected systems.
"The vSphere Client contains a remote code execution vulnerability in a vCenter Server plugin," VMware explains in the advisory.
The impacted vCenter Server plugin for vRealize Operations is present in all default installations, with vROPs not being required for the affected endpoint to be available.
VMware fixed an Unauth RCE in vCenter found by our researcher Mikhail Klyuchnikov.
VMware also fixed today an important heap-overflow vulnerability in VMware ESXi that may enable attackers to execute arbitrary code remotely on impacted devices.
In April 2020, VMware addressed another critical vCenter Server vulnerability that could've allowed attackers to access sensitive information and potentially take control of impacted Windows systems or virtual appliances.
News URL
Related news
- Critical PHP RCE vulnerability mass exploited in new attacks (source)
- Critical RCE flaw in Apache Tomcat actively exploited in attacks (source)
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- Infoseccers criticize Veeam over critical RCE vulnerability and a failing blacklist (source)
- Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication (source)