The vulnerability was discovered by Positive Technologies web application security expert Mikhail Klyuchnikov. The flaw is caused by improper validation of file extensions due to improper input validation and lack of authorization bugs in the logupload web application. Unpatched servers prior to 4.6 Security Patch 1 could allow remote attackers to upload arbitrary files via specially-crafted requests. The attackers can then execute the uploaded files to run arbitrary malicious code on the compromised servers within the log upload container. Thousands of unpatched vCenter servers are reachable over the Internet, as shown by Shodan and BinaryEdge.
Source: https://www.bleepingcomputer.com/news/security/vmware-releases-fix-for-severe-view-planner-rce-vulnerability/