Security News > 2021 > May > Critical RCE Vulnerability Found in VMware vCenter Server — Patch Now!
VMware has rolled out patches to address a critical security vulnerability in vCenter Server that could be leveraged by an adversary to execute arbitrary code on the server.
VMware vCenter Server is a server management utility that's used to control virtual machines, ESXi hosts, and other dependent components from a single centralized location.
The flaw affects vCenter Server versions 6.5, 6.7, and 7.0 and Cloud Foundation versions 3.x and 4.x. VMware credited Ricter Z of 360 Noah Lab for reporting the vulnerability.
CVE-2021-21985 is the second critical vulnerability that VMware has rectified in the vCenter Server.
Earlier this February, it resolved a remote code execution vulnerability in a vCenter Server plug-in that could be abused to run commands with unrestricted privileges on the underlying operating system hosting the server.
The fixes for the vCenter flaws also come after the company patched another critical remote code execution bug in VMware vRealize Business for Cloud due to an unauthorized endpoint that could be exploited by a malicious actor with network access to run arbitrary code on the appliance.
News URL
Related news
- Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool (source)
- Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability (source)
- A critical vulnerability in Delinea Secret Server allows auth bypass, admin access (source)
- Critical vulnerabilities in TeamCity JetBrains fixed, release of technical details imminent, patch quickly! (CVE-2024-27198, CVE-2024-27199) (source)
- Exploit available for new critical TeamCity auth bypass bug, patch now (source)
- Critical JetBrains TeamCity On-Premises Flaws Could Lead to Server Takeovers (source)
- VMware fixes critical sandbox escape flaws in ESXi, Workstation, and Fusion (source)
- VMware patches critical flaws in ESXi, Workstation, Fusion and Cloud Foundation (source)
- Microsoft waited 6 months to patch actively exploited admin-to-kernel vulnerability (source)
- Microsoft March 2024 Patch Tuesday fixes 60 flaws, 18 RCE bugs (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-05-26 | CVE-2021-21985 | Improper Input Validation vulnerability in VMWare Vcenter Server 6.5/6.7/7.0 The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. | 10.0 |