VMware released a patch for multiple vulnerabilities in VMware vCenter Server and VMware Cloud Foundation including arbitrary file upload vulnerability tracked as CVE-2021-22005 and having CVSS score 9.8, impacting all appliances running default vCenter Server 6.7 and 7.0 deployments.
An attacker with network access to port 443 on vCenter Server can exploit arbitrary file upload vulnerability by uploading a specially crafted file. Successful exploitation of this vulnerability results in code execution on the vCenter Server.
VMware vCenter Server (vCenter Server)
VMware Cloud Foundation (Cloud Foundation)
It is recommended to update the affected VMware products to their latest available versions/patch level.