I discovered a new unknown vulnerability in vRops 6.3 on my home lab, this allowed me to obtain the Administrator role from a lower non privileged role…

I informed VMware which were very responsive and patched the bug, the announcement from VMWare can be found over at the VMware Security Blog or over at security advisories:  VMSA-2016-0016

References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7457

https://kb.vmware.com/kb/2147215

https://kb.vmware.com/kb/2147247

https://kb.vmware.com/kb/2147246

https://kb.vmware.com/kb/2147248

vMan