CVE-2021-22025
HIGHVMware vRealize Operations Manager 8.0.0-8.4.x - Unauthenticated API Access via Broken Access Control
Title source: llmDescription
The vRealize Operations Manager API (8.x prior to 8.5) contains a broken access control vulnerability leading to unauthenticated API access. An unauthenticated malicious actor with network access to the vRealize Operations Manager API can add new nodes to existing vROps cluster.
References (1)
Core 1
Core References
Patch, Vendor Advisory x_refsource_misc
https://www.vmware.com/security/advisories/VMSA-2021-0018.html
Scores
CVSS v3
7.5
EPSS
0.0019
EPSS Percentile
40.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-287
Status
published
Products (4)
vmware/cloud_foundation
3.0 - 3.10.2.1
vmware/vrealize_operations_manager
7.5.0
vmware/vrealize_operations_manager
8.0.0 - 8.5.0
vmware/vrealize_suite_lifecycle_manager
8.0 - 8.2
Published
Aug 30, 2021
Tracked Since
Feb 18, 2026