9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.044 Low
EPSS
Percentile
92.4%
vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bounds write potentially leading to remote code execution.
Recent assessments:
ccondon-r7 at January 19, 2024 10:39am UTC reported:
Critical out-of-bounds write vuln in vCenter Server and Cloud Foundation. While we havenβt looked at this in-depth, VMwareβs advisory indicates that itβs been exploited in the wild, and they took the unusual step of patching several end-of-life versions of vCenter Server:
> While VMware does not mention end-of-life products in VMware Security Advisories, due to the critical severity of this vulnerability and lack of workaround VMware has made a patch generally available for vCenter Server 6.7U3, 6.5U3, and VCF 3.x. For the same reasons, VMware has made additional patches available for vCenter Server 8.0U1.
The vuln requires network access to exploit, for whatever thatβs worth at this point in threat-land. Typical skepticism on ease/reliability of exploitation applies given that this is a memory corruption vuln, but with that said, vCenter is a high-value target for skilled and motivated threat actors, including ransomware groups. vCenter Server customers should heed the FAQ advice and patch on an emergency basis.
Edit: Mandiant has published technical information revealing that this vuln has apparently been exploited since 2021 by UNC3886, a China-nexus threat actor. So it is 0day after all.
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 0
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.044 Low
EPSS
Percentile
92.4%