VMware vCenter Server updates address remote code execution vulnerability in the vSphere Client (CVE-2021-21972)
The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
Known Attack Vectors
A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
Resolution
To remediate CVE-2021-21972 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.
Workarounds
Workarounds for CVE-2021-21972 have been listed in the 'Workarounds' column of the 'Response Matrix' below.
More details here
https://www.vmware.com/security/advisories/VMSA-2021-0002.html