If your organization uses VMware’s flagship products (vSphere and vCenter), we recommend updating these immediately.
In a news release posted on the company website, VMware disclosed a significant bug in both products and urged users to drop everything and patch it. The virtualization giant also offered a workaround (more on that below).
In the blog post, the company said: “A file upload vulnerability that can be used to execute commands and software on the vCenter Server Appliance. This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server.”
It went on to say, “In this era of ransomware it is safest to assume that an attacker is already inside your network somewhere, on a desktop and perhaps even in control of a user account,” states Virtzilla’s blog post about the flaw, adding, “which is why we strongly recommend declaring an emergency change and patching as soon as possible.”
VMware recommends rapid patching but does point out the downfalls (and overall the effectiveness) of workarounds in the release.