Recently, in View Planner, it’s a benchmarking desktop client that is available for free, VMware has inscribed a critical unauthenticated RCE vulnerability, so, the servers that are running the unpatched software could be abused by the threat actors for RCE (Remote Code Execution).
Mikhail Klyuchnikov, a web application security expert at Positive Technologies who have discovered and reported this security flaw.
The security flaw that has been tacked by Mikhail is identified as CVE-2021-21978 with a CVSS score of 8.6 out of 10, and any unauthenticated attackers can exploit this vulnerability without any user interaction.
Moreover, the actual cause of this flaw is improper validation of file extensions. And a successful attack could easily allow an unauthenticated attacker to upload arbitrary files through specially-crafted HTTP requests.
After the above operation, the attacker can upload files to run malicious code on the vulnerable and arbitrated servers.