The vulnerability was given a rating of 9.8 and affects versions 6.5, 6.7 and 7.0 of the vCenter Server product.
vCenter Server functions as an administration portal for vSphere and ESXI, which are widely used virtualisation products.
The advisory cited two issues; a remote code execution flaw in the vSAN plugin which is part of vCenter Server. The second issue was connected to improvements made to the product's plugin framework to enforce authentication and this affected some plugins and also caused some third-party plugins to stop functioning.
"To exploit this vulnerability, an attacker would need to be able to access vCenter Server over port 443 in the firewall. Even if an organisation has not exposed vCenter Server externally, attackers can still exploit this flaw once inside a network," she said.
"In a rare move, VMware published a blog post calling out ransomware groups as being adept at leveraging flaws like this post-compromise, after having gained access to a network via other means such as spearphishing.
"With ransomware dominating the news, this context is important and reinforces VMware's assertion that patching these flaws should be a top priority. Successful exploitation would allow an attacker to execute arbitrary commands on the underlying vCenter host.
"VMware also patched CVE-2021-21986, which is an authentication mechanism issue found in several vCenter Server Plug-ins and was assigned a CVSSv3 score of 6.5, making it moderately severe."
Tills said VMware had provided patches for both flaws and advised organisations using vCenter Servers to act immediately.