10
CVSSv2

CVE-2021-21986

Published: 26/05/2021 Updated: 03/06/2021
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

Authentication mechanism issue in VMware vCenter Server Plug-ins. The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. A malicious actor with network access to port 443 on vCenter Server may perform actions allowed by the impacted plug-ins without authentication. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

vmware vcenter server 6.5

vmware vcenter server 6.7

vmware vcenter server 7.0

vmware cloud foundation

Recent Articles

VMware reveals critical vCenter hole it says ‘needs to be considered at once’
The Register • Simon Sharwood, APAC Editor • 26 May 2021

Unauthenticated remote code execution possible thanks to vSphere Client bug

VMware has revealed a critical bug that can be exploited to achieve unauthenticated remote code execution in the very core of a virtualised system – vCenter Server.
The culprit is the vSphere HTML5 client, which by default includes the Virtual SAN Health plugin – even if you don’t run a VMware VSAN. That plugin lacks input validation and the result, as explained by VMware’s advisory this week, is: “A malicious actor with network access to port 443 may exploit this issue to execut...

The Register

VMware has revealed a critical bug that can be exploited to achieve unauthenticated remote code execution in the very core of a virtualised system – vCenter Server.
The culprit is the vSphere HTML5 client, which by default includes the Virtual SAN Health plugin – even if you don’t run a VMware VSAN. That plugin lacks input validation and the result, as explained by VMware’s advisory this week, is: “A malicious actor with network access to port 443 may exploit this issue to execut...