The IWA ( Integrated Windows Authentication ) certification mechanics in the vCenter Server require a privilege escalation vulnerability , grant to VMware ’s consultatory . VMware has acquire a papers with workaround subroutine until update are uncommitted . It ’s not unheard of for scourge worker to purpose vCenter Server vulnerability , so it ’s critical that enterprise lend oneself update or solvent As quick as practicable . CrowdStrike has been adjoin but the cybersecurity firm has turn down to offer any additional info . There exist thou of vCenter Server instance that are approachable through the cyberspace . The vulnerability has been write out the CVE-2021 - 22048 list and a rigourousness horizontal surface of “ authoritative , ” which is comparable to “ senior high school severity ” based on its CVSS rack up of 7.1 . “ The workaround for CVE-2021 - 22048 is to migrate from Integrated Windows Authentication ( IWA ) to AD over LDAPS assay-mark / Identity Provider Federation for AD FS ( vSphere 7.0 entirely ) , ” VMware informed . “ A malicious thespian with non - administrative accession to vCenter Server might purpose this flaw to upgrade perquisite to a More potent chemical group . ” CrowdStrike ’s Yaron Zinar and Sagi Sheinfeld are accredit with alerting VMware to the problem . vCenter Server 6.7 and 7.0 , angstrom unit comfortably as Cloud Foundation 3.x and 4.x , are all touch . Although there follow no denotation that the exposure has been work for villainous design , the deficiency of update and the fact that CrowdStrike distinguish the security blemish could bespeak that it has been used .