Sometimes we review the vulnerability check list. We are aim to address high severity of vulnerabilities items in first piority. From technical point of view it looks correct. Since some medium vulnerabilities especially cookie or cross site scripting issue may spend more time to do the remediation. A security advisories announced by VMware on 15th May 2018 bring to my attentions. That is CVE-2018-6961 (see attached diagram). It looks that the orginal Web UI function is a dilemma! Web UI in frequent have design weakness thus let attacker do the code injection. Since there is no prefect item in the world. The attacker might relies on CVE-2018-6961 execute Use-After-Free vulnerability. As a result it affected drag-and-drop functionality and triggered through the Backdoor RPC interface.

Remark:  Staying alert of this directory (lib/include/backdoor_def.h)

Reference – Unauthenticated Command Injection vulnerability in VMware NSX SD-WAN by VeloCloud :

https://www.vmware.com/security/advisories/VMSA-2018-0011.html