Shortly after VMware released a security advisory for CVE-2021-21972, proof-of-concept (PoC) code appeared online for exploiting vCenter. This vulnerability was originally found and reported to VMWare by Mikhail Klyuchnikov of Positive Technologies who planned on giving the public plenty of time before releasing the technical details. Unfortunately, things didn’t go quite as planned and so they have decided to make their post public since the details are now known.
On both Linux and Windows Hosts, vCenter allowed for unauthenticated file uploads, leading to code execution. On Windows, a JSP file could be uploaded and served through HTTP. By uploading a webshell, an attacker could perform any action they wanted. Although it works a little different on Linux, the idea is still the same. By uploading an SSH key, it became possible to SSH into the host and perform any actions permitted by the account vCenter is running as.