Yesterday VMware announced two security issues, Cross Site Scripting (XSS) on ESXi hosts, and SSH issues in the appliance «VMware data Protection» (VDP).
Cross Site Scripting
This issue applies to ESXi hosts running version 5.5 or later. Please check out VMSA-2016-0023 for more information, download patch and install documentation.
SSH Key-based authentication
The «VMware Data Protection» appliance contains a provate SSH key with a known password that is configured to allow key-based authentication, which may allow an unauthorized remote attacker to log into the appliance with root privileges. Please check out VMSA-2016-0024 for more information, download patch and install documentation.