VMware has published a security patch to prevent attackers from hijacking at-risk servers via a critical vulnerability in vRealize Business for Cloud (VBC).

Positive Technologies security researcher Egor Dimitrenko discovered a remote code execution vulnerability in VMware’s automated cloud management tool stemming from an unauthorised VAMI API.

An unauthorised attacker with network access could use the security flaw to run malicious code on vulnerable servers. In an advisory, VMware said it “has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.”

The vulnerability – CVE-2021-21984 – affects virtual appliances running VMware vRealize Business for Cloud prior to version 7.6.0.

VMware is asking companies using the tool to update their software to the latest version, which can be found here.

The Dell Technologies subsidiary is also recommending that IT and security teams take snapshots before applying the patch.

VBC provides enterprise customers with a dashboard for cloud planning, budgeting, cloud comparison and consumption metering. This means an attacker exploiting the vulnerability would have an insight into a business’ public and private cloud resources.

In December 2020 the NSA warned that state-backed Russian cyberattackers were actively exploiting a separate VMware vulnerability to access data on systems.

In April Dell said it will spin off VMware to create two standalone public companies and generate up to $9.7bn for paying down debt.

Founded in 1998, VMware creates software that virtualises different types of hardware and splits these elements into multiple virtual computers. Its customers hail from diverse sectors including banking, telecommunications, retail and transportation.