Unauthenticated Access Vulnerability in vSphere Client (HTML5) Plug-ins

Unauthenticated Access Vulnerability in vSphere Client (HTML5) Plug-ins

CVE-2021-21986 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. A malicious actor with network access to port 443 on vCenter Server may perform actions allowed by the impacted plug-ins without authentication.

Learn more about our Cis Benchmark Audit For Server Software.