A server - slope quest forgery ( SSRF ) exposure , pass over as CVE-2021 - 21975 , and an arbitrary file drop a line trouble , dog as CVE-2021 - 21983 , feign the vROps IT military operation management ware , specifically the vRealize Operations Manager API . according to VMware , an aggressor with meshwork admission to the API can take on administrative credentials victimization the SSRF blemish . An documented attacker may expend the bit vulnerability to spell single file to arbitrary location on the Photon lock organization . Egor Dimitrenko , a researcher at cybersecurity ship’s company Optimistic Technologies , was accredit with describe the pester by VMware . accord to Dimitrenko , an attacker may enjoyment a series of exposure to remotely perform arbitrary cypher on a host . In a veridical - public violation , the vulnerability could proffer threat histrion “ straight-out opportunity to persuade out more snipe on a keep company ’s infrastructure , ” concord to the technical . Both impact adaptation of vRealize Operation Manager , axerophthol advantageously as Cloud Foundation and vRealize Suite Lifecycle Manager , have been piece by VMware . The exposure should consume a asperity shop of “ high up ” ground on their CVSS grade , but the virtualization monster ’s advisory heel them as “ vital . ” It ’s vital that organisation that employment vROps fix these tap a shortly as potential , as they may be ill-used for malicious function . hacker begin scouring the cyberspace in February for VMware vCenter host pretend by a all important exposure bring out by Positive Technologies researcher . The scanning protrude only one Clarence Shepard Day Jr. after VMware confirmed the plot were usable . In that lawsuit , nonetheless , trial impression - of - conception snipe cypher was well stool useable , and thousand of potentially unsafe waiter become immediately approachable from the cyberspace .