VMware has published a security patch to prevent attackers from hijacking at-risk servers via a critical vulnerability in vRealize Business for Cloud (VBC).

Positive Technologies security researcher Egor Dimitrenko discovered a remote code execution vulnerability in VMware’s automated cloud management tool stemming from an unauthorised VAMI API.

An unauthorised attacker with network access could use the security flaw to run malicious code on vulnerable servers. In an advisory, VMware said it “has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.”

The vulnerability – CVE-2021-21984 – affects virtual appliances running VMware vRealize Business for Cloud prior to version 7.6.0.

VMware is asking companies using the tool to update their software to the latest version, which can be found here.

The Dell Technologies subsidiary is also recommending that IT and security teams take snapshots before applying the patch.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

VBC provides enterprise customers with a dashboard for cloud planning, budgeting, cloud comparison and consumption metering. This means an attacker exploiting the vulnerability would have an insight into a business’ public and private cloud resources.

In December 2020 the NSA warned that state-backed Russian cyberattackers were actively exploiting a separate VMware vulnerability to access data on systems.

In April Dell said it will spin off VMware to create two standalone public companies and generate up to $9.7bn for paying down debt.

Founded in 1998, VMware creates software that virtualises different types of hardware and splits these elements into multiple virtual computers. Its customers hail from diverse sectors including banking, telecommunications, retail and transportation.