How to remediate – VMware vCenter Legacy Data Collection

Contents

1. Introduction

VMware vCenter Legacy Data Collection gathers all data from VMware vCenter using the SOAP APIs. This allows an attacker with network access to potentially extract sensitive information about the virtual infrastructure. Systems running older versions of vCenter are usually affected. A successful exploit could lead to a compromise of confidentiality, integrity and availability of the virtual environment.

2. Technical Explanation

Root cause: Unrestricted access to SOAP API for data collection.
Exploit mechanism: An attacker sends requests to the vCenter SOAP API endpoint to retrieve host data. A simple example request would involve querying for a list of managed hosts and their configurations.
Scope: VMware vCenter versions prior to those with modern authentication and access controls are affected.

3. Detection and Assessment

Confirming vulnerability involves checking the version of vCenter and verifying that the SOAP API is accessible from a remote network location. A thorough assessment would involve attempting to retrieve data via the API directly.

Quick checks: Use the vSphere Client or command line interface (CLI) to check the vCenter server version.
Scanning: Nessus plugin ID 16738 can identify this issue, but results should be verified manually.
Logs and evidence: Check vCenter logs for API access attempts originating from unexpected sources. Logs are typically located in /var/log/vmware/vsphere-client/logs/.

vmware-vpxd -v

4. Solution / Remediation Steps

The primary solution is to disable the legacy data collection functionality or upgrade vCenter to a version with modern authentication and access controls. These steps should be performed during a scheduled maintenance window.

4.1 Preparation

Ensure you have valid credentials for accessing the vCenter server. A roll back plan involves restoring from the pre-change backup.
A change window is recommended, and approval should be obtained from the infrastructure team.

4.2 Implementation

Step 1: Log in to the vCenter Server Appliance Management Interface (VAMI).
Step 2: Navigate to System > Configuration > Services.
Step 3: Locate and disable the “vCenter Legacy Data Collection” service.
Step 4: Restart the VMware vSphere Client service.

4.3 Config or Code Example

Before

Service Status: Running (vCenter Legacy Data Collection)

After

Service Status: Stopped (vCenter Legacy Data Collection)

4.4 Security Practices Relevant to This Vulnerability

List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence.

Practice 1: Least privilege access controls can limit the impact if the API is compromised.
Practice 2: Regularly review and update security baselines to ensure that unnecessary services are disabled.

4.5 Automation (Optional)

# Example PowerShell Script to stop the service (requires vCenter API access)
# This is an example only - adapt for your environment!
# Stop-Service -Name "vCenter Legacy Data Collection" -ComputerName

5. Verification / Validation

Post-fix check: Use the VAMI interface or CLI to confirm the “vCenter Legacy Data Collection” service status is Stopped.
Re-test: Attempt to query the SOAP API endpoint from a remote machine; access should be denied.
Smoke test: Verify that core vCenter functionality, such as VM power operations, continues to work as expected.
Monitoring: Monitor vCenter logs for any attempts to access the disabled service.

Service Status: Stopped (vCenter Legacy Data Collection)

6. Preventive Measures and Monitoring

Suggest only measures that are relevant to the vulnerability type. Use “for example” to keep advice conditional, not prescriptive.

Baselines: Update your vCenter security baseline to include disabling unnecessary services like legacy data collection.
Pipelines: Include checks in your CI/CD pipeline to ensure that new vCenter deployments do not enable this service by default.
Asset and patch process: Implement a regular patch review cycle for all vCenter components.

7. Risks, Side Effects, and Roll Back

Risk or side effect 1: Disabling the service may impact some older monitoring tools that rely on it.
Roll back: 1) Log in to the VAMI interface. 2) Navigate to System > Configuration > Services. 3) Locate and enable the “vCenter Legacy Data Collection” service. 4) Restart the VMware vSphere Client service.

8. References and Resources

Vendor advisory or bulletin: VMware Knowledge Base Article 78618
NVD or CVE entry: No specific CVE is associated with this issue, but related vulnerabilities can be found on the NVD website (https://nvd.nist.gov/).
Product or platform documentation relevant to the fix: VMware vSphere Documentation

Updated on October 26, 2025

Was this article helpful?

Yes No