VMware
Vulnerabilities in VMware vCenter Server, ESXi, and the Spring Framework VMware stewards — virtualization and application infrastructure whose compromise can mean full control of an organization's entire virtual estate.
Spring4Shell — Spring Framework Remote Code Execution
A remote-code-execution vulnerability in the Spring Framework, stewarded by VMware, allows an attacker to achieve RCE via data binding under specific conditions — JDK 9+, Spring Framework versions before 5.3.18 / 5.2.20, and deployment as a traditional WAR on Apache Tomcat.
VMware vCenter Server vSphere Client Remote Code Execution
A remote-code-execution vulnerability in the vSphere Client (HTML5) plugin for VMware vCenter Server allows an unauthenticated attacker with network access to port 443 to upload a malicious file and execute arbitrary commands with unrestricted privileges on the underlying operating system.

vCenter's Unrestricted-Upload Bug: A Reminder That Management Planes Shouldn't Face the Internet
CVE-2021-21972 let unauthenticated attackers execute code with root privileges on VMware vCenter Server — and internet scans found tens of thousands of instances exposed anyway, against VMware's own guidance.

Spring4Shell: Why This One Needed Careful Triage, Not Panic
CVE-2022-22965 leaked publicly before VMware's patch was ready — but unlike Log4Shell, exploitation required a specific combination of conditions that made blanket panic the wrong response.