Threat Advisory

VMware warns of the public availability code for a critical vulnerability

November 3, 2022 | By Accorian

Last week, VMware has released security updates to address a critical remote code execution vulnerability in VMware Cloud Foundation. It is tracked as CVE-2021-39144 and has been assigned a CVSS score of 9.8.

The XStream open-source library contains the remote code execution flaw. Without any user interaction, unauthenticated attackers can take advantage of the vulnerability due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation. Due to the severity of the vulnerability the team has also released patches for end-of-life products.

VMware did, however, confirm over the weekend that the attack code exploiting CVE-2021-39144 has been released and is available to the public. VMware vCloud Foundation 3.11 is the fixed version released in response to this vulnerability and as well as for CVE-2022-31678, which is an XML External Entity (XXE) vulnerability that can cause a denial-of-service condition. 

Accorian suggests our clients upgrade their installs to the latest release.


Threat Advisory Team 


Recent Post

    Ready to Start?

    Shukla CPA, d.b.a Accorian Assurance is a licensed, certified public accounting firm registered with the American Institute of Pubic Accountants (AICPA) and the Public Company Accounting Oversight Board (PCAOB). Esha IT Corp d.b.a Accorian is a global leader in cybersecurity and compliance professional services.

    © 2023 Accorian. All Rights Reserved.

      Ready to Start?

      Download Case study

      Download SOC2 Guide

      Human Resources Director

      Posted On: 09 May, 2022

      Drop your CVs to

        Interested Position
        First Name
        Last Name
        Total Experience
        Mobile Number
        Upload Resume