VMware addressed multiple vulnerabilities in vRealize Operations, including four high severity flaws.
The most severe flaw, tracked as CVE-2021-22025 (CVSS score of 8.6), is a broken access control vulnerability in the vRealize Operations Manager API. An attacker could exploit the vulnerability to gain unauthenticated API access.
“The vRealize Operations Manager API contains a broken access control vulnerability leading to unauthenticated API access. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.6.“ reads the advisory published by the virtualization giant. “An unauthenticated malicious actor with network access to the vRealize Operations Manager API can add new nodes to existing vROps cluster.”