The vulnerability could allow attackers to breach the external perimeter of an enterprise data center or leverage backdoors already installed to take over a system. The most serious of the three flaws is a remote code execution (RCE) flaw in its vCenter Server management platform. The other flaw is a Server Side Request Forgery (SSRF) vulnerability due to improper validation URLs in a plugin with a. CVSS v3 score of 9.8, in a vCenter server plugin for vROPs in the vSphere Client functionality.
Source: https://threatpost.com/vmware-patches-critical-rce-flaw-in-vcenter-server/164240/