2 June 2020

VMware Cloud Director flaw could allow to hijack corporate servers


VMware Cloud Director flaw could allow to hijack corporate servers

Security researchers have published technical details of a new vulnerability that affects VMware's Cloud Director platform that could allow an attacker to gain access to sensitive data and take over control of private clouds within an entire infrastructure.

VMware's Cloud Director is a cloud service-delivery platform used by popular cloud providers to operate and manage cloud infrastructure.

The vulnerability, which has received a CVE ID CVE-2020-3956, is classified as a code injection vulnerability. It exists due to an improper input handling that could be abused by an authenticated attacker to send malicious traffic to Cloud Director, leading to the execution of arbitrary code.

According the researchers from Citadelo, the flaw can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface, and API access. Successful exploitation could allow an attacker to view content of the internal system database, modify the system database to steal foreign virtual machines (VM) assigned to different organizations within Cloud Director, escalate privileges to vCloud administrators, as well as tamper with login setups to steal credentials.

The vulnerability affects VMware Cloud Director versions 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4. After receiving a report from researchers VMware released new versions of the product to address the vulnerability.

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024