vSphere Web Client extensions run at the same privilege level as the user who is logged in. A malicious extension can masquerade as a useful plug-in and perform harmful operations such as stealing credentials or changing the system configuration. To increase security, use a vSphere Web Client installation that includes only authorized extensions from trusted sources.

A vCenter installation includes the vSphere Web Client extensibility framework, which provides the ability to extend the vSphere Web Client with menu selections or toolbar icons that provide access to vCenter add-on components or external, Web-based functionality. This flexibility results in a risk of introducing unintended capabilities. For example, if an administrator installs a plug-in in an instance of the vSphere Web Client, the plug-in can then execute arbitrary commands with the privilege level of that administrator.

To protect against potential compromise, do not install any vSphere Web Client plug-ins that do not come from a trusted source.