The vulnerability is a command injection bug tracked as CVE-2020-4006 and publicly disclosed two weeks ago. If successfully exploited, the vulnerability enables attackers to escalate commands on the host Linux and Windows operating systems. The vulnerability exists in the administrative configurator of some releases of some products. The company has released security updates that fully mitigate the vulnerability on devices running one of the affected products. It also lowered the bug’s CVSSv3 base score to 7.2/10 and the maximum severity rating from ‘Critical’ to ‘Important’
Source: https://www.bleepingcomputer.com/news/security/vmware-fixes-zero-day-vulnerability-reported-by-the-nsa/