The vulnerability, tracked as CVE-2021-21985, was reported to VMware by Ricter Z of 360 Noah Lab and it has been patched in versions 6.5, 6.7 and 7.0 of vCenter Server.

According to VMware, the vulnerability impacts the vSphere Client, specifically the Virtual SAN Health Check plugin, which is enabled by default in vCenter Server even if the plugin is not actually being used. An attacker with access to port 443 can exploit the flaw to execute commands with elevated privileges on the operating system that hosts vCenter Server.