May 27, 2021
VMware released an advisory (VMSA-2021-0010) where the vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. The affected Virtual SAN Health Check plug-in is enabled by default in all vCenter Server deployments, whether vSAN is being used.
Businesses using VMware vCenter Server and VMware Cloud Foundation in their environment.
Apply workaround asap as stated in this article: