vSphere Client extensions run at the same privilege level as the user that is logged in. A malicious extension can masquerade as a useful plug-in and perform harmful operations such as stealing credentials or changing the system configuration. To increase security, use a vSphere Client installation that includes only authorized extensions from trusted sources.

vCenter Server includes a vSphere Client extensibility framework, which provides the ability to extend the vSphere Client with menu selections or toolbar icons that provide access to vCenter add-on components or external, Web-based functionality. With this flexibility, there is a risk of introducing unintended capabilities. For example, an administrator might install a plug-in in an instance of the vSphere Client. The plug-in can then execute arbitrary commands with the privilege level of that administrator.

To protect against potential compromise, do not install any vSphere Client plug-ins that do not come from a trusted source. Verify which plug-ins are installed in the vSphere Client using the Plug-ins > Manage Plug-ins menu and clicking the Installed Plug-ins tab.