If you didn’t already know this the VMware Web Services SDK is a WSDL API that allows developers to write applications that integrate with VMware. You can also query this API using a standard web browser. The WSDL interface requires authentication and once authenticated you have access to the entire API as shown in the screenshot below.

Even if you are not a developer once authenticated using the browser you can query the virtual infrastructure in much the same way as you would using the standard VI client. You can also scheduled tasks which means you have a lot of power, eg. shutdown VM’s, Change configs etc.

Bruteforce Attack

The interesting thing to note is that the interface can be attacked using Brute Force techniques, so if you do not have adequate access control mechanisms in place you are leaving your virtual infrastructure open to compromise.

To mitigate this from happening I would suggest you lock down which source IP’s in your network are allowed to access vCenter and each ESX host, and never expose your Virtual Management layer to the Internet.