VMware has posted VMSA-2021-0020 (CVE-2021-22005), a very troubling vulnerability (CVSS 9.8) along with warnings of active exploitation:
…network access to port 443 on vCenter Server may exploit this issue to execute code…
It’s related to a simple file upload with this commonly open port, thus the alarming 9.8 score of risk out of 10.
Which versions are affected? Looks like VMware is confused. In the advisory it plainly states this:
This issue does not affect vCenter Server 6.5.
Then the recommended FAQ in the advisory states this:
In this case it is vCenter Server 6.5, 6.7, and 7.0.
Err on the side of caution and patch 6.5.