Security News > 2021 > September > VMware warns of critical bug in default vCenter Server installs
VMware warns customers to immediately patch a critical arbitrary file upload vulnerability in the Analytics service, impacting all appliances running default vCenter Server 6.7 and 7.0 deployments.
vCenter Server is a server management solution that helps IT admins manage virtualized hosts and virtual machines in enterprise environments via a single console.
"This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server," said Bob Plankers, Technical Marketing Architect at VMware.
"A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file."
In May, VMware issued a similar warning regarding a critical remote code execution flaw in the Virtual SAN Health Check plug-in impacting all vCenter Server deployments.
Another critical RCE bug affecting all vCenter Server deployments running a vulnerable vCenter Server plug-in for vRealize Operations present in all default installations was fixed in February.
News URL
Related news
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- VMware fixes critical vCenter Server RCE bug – again! (CVE-2024-38812) (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- Week in review: Fortinet patches critical FortiManager 0-day, VMware fixes vCenter Server RCE (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- VMware fixes critical RCE, make-me-root bugs in vCenter - for the second time (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- Critical Zimbra RCE flaw exploited to backdoor servers using emails (source)
- GitHub Patches Critical Flaw in Enterprise Server Allowing Unauthorized Instance Access (source)
- Warning: VMware vCenter and Kemp LoadMaster Flaws Under Active Exploitation (source)