vCenter 'crown jewel' blog circulates

Christian Mohn’s May 14 blog post arguing that VMware vCenter is the “crown jewel” of a virtualized environment circulated widely on X over the weekend, as security practitioners used it to warn about the risks of management-plane compromise. Mohn, a Norway-based VMware vExpert and chief technologist at Proact IT Norway, published the post on his vNinja.net site as part of a series on VMware Cloud Foundation security. The post drew attention because it framed vCenter not as the usual initial foothold for attackers, but as the point where compromise becomes centralized across a virtual infrastructure. Mohn wrote that “once valid access exists at this layer, the environment stops behaving as a collection of independent systems” and instead “behaves as a single controllable surface.” Broadcom’s own security materials have repeatedly highlighted vCenter as a high-value target. (vninja.net) In a September 17, 2024 questions-and-answers post on VMSA-2024-0019, VMware Cloud Foundation said critical vulnerabilities in VMware vCenter could allow remote code execution against vCenter services, and said the advisory should be the source of truth for affected products and patches. ### What did Mohn actually argue in the post? Mohn’s May 14 article said vCenter is usually not the initial entry point in an intrusion, but the place where control “converges” after attackers gain access elsewhere. He said initial access often comes through identity problems, reused credentials, reachable management interfaces, or internal trust relationships that no longer hold. (blogs.vmware.com) The same post said the shift at the vCenter layer is about authenticated control rather than bypassing controls. Mohn wrote that once authentication is valid, the system executes administrative actions through normal workflows and that, from the system’s perspective, those actions can appear legitimate. ### Why does vCenter attract this kind of attention from defenders? MITRE ATT&CK describes “Valid Accounts,” technique T1078, as the abuse of legitimate credentials for initial access, persistence, privilege escalation or defense evasion. (vninja.net) Mohn explicitly linked his argument to that pattern, writing that intrusion behavior commonly uses valid accounts and legitimate access paths to extend control rather than break systems outright. Broadcom security advisories also reflect that emphasis on authenticated access. One support advisory says a malicious actor “already authenticated through vCenter Server or ESXi” could trigger a denial-of-service condition in guest virtual machines with VMware Tools running and guest operations enabled. Another 2025 advisory covered multiple vulnerabilities in VMware vCenter and NSX and said updates were available for affected products. (attack.mitre.org) ### What does “centralized control” mean in practical terms? Mohn’s May 14 post said the key change is structural: ESX hosts may continue to run workloads and enforce isolation, but vCenter changes how the environment is controlled in practice because administration is centralized there. He wrote that compromise at that layer can turn what looks like separate systems into one operational surface. (support.broadcom.com) That framing resonated with virtualization administrators because vCenter sits over inventory, permissions and administrative workflows in many VMware environments. Mohn’s article said the danger is often visible only after control has already shifted, not at the first moment of intrusion. ### Who is Christian Mohn, and why did people pay attention? The vExpert directory identifies Christian Mohn as chief technologist at Proact IT Norge AS and says he has been a vExpert for 15 years. (vninja.net) Tech Field Day and Sessionize describe him as a longtime VMware practitioner, blogger and speaker based in Bergen, Norway. Mohn’s “vCenter Is the Crown Jewel” entry is part of a named series, “VCF Security Reality Check: ESX, vCenter & Identity.” The series page shows related posts dated May 12 and May 14, including “ESX Security Advice that Actually Matters in 2026” and the vCenter article that circulated this weekend. (vninja.net) ### Where can readers track the next developments? The vNinja.net series page listed on May 17 still links to Mohn’s May 14 “vCenter Is the Crown Jewel” post and the companion entries published on May 12. (vexpert.vmware.com) Broadcom’s VMware Security Blog and support advisory pages remain the primary places to monitor future vCenter security notices and patch guidance. (vninja.net)