VMware Cloud Director vulnerability could lead to hijack of enterprise server infrastructure

The security flaw handed over the keys to enterprise infrastructure.
Written by Charlie Osborne, Contributing Writer

VMware has patched a vulnerability in VMware Cloud Director that could be exploited to perform code execution attacks and take over private clouds. 

VMware Cloud Director, known previously as vCloud Director, is a cloud service-delivery platform used for purposes including virtual data center management, data center expansion and cloud migration, and to host automaton tools. The software is used by cloud service providers and enterprise companies worldwide. 

On Monday, penetration testing firm Citadelo published a security advisory detailing the bug, tracked as CVE-2020-3956, which was first discovered in April. 

See also: VMware rolls out Tanzu portfolio for app modernization

The cybersecurity firm said CVE-2020-3956 was uncovered during a security audit performed for a Fortune 500 enterprise customer and user of VMware Cloud Director. 

Issued a severity CVSSV3 score of 8.8 and deemed "important" by VMware, the vulnerability was caused by a failure for input to be handled properly. While exploiting the flaw can lead to code execution and one user to be able to "technically gain control over all customers allocated to this infrastructure," according to Citadelo, the bug's scope has been reduced as attackers must be authenticated to some degree.

"An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution," VMware says. "This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface, and API access."

While analyzing the vulnerability, CItadelo was able to view internal system databases where password hashes were stored -- including customer allocations -- as well as read customer data including email and IP addresses. 

CNET: The best Android VPNs of 2020

The cybersecurity firm added that it may be possible to exploit the bug to partly modify databases to tamper with virtual machines, escalate privileges from organization admins to vCloud administrators, as well as tamper with login setups to steal credentials. 

The cloud computing and virtualization software provider was made aware of the bug on April 1. Two days later, VMware triaged and reproduced the vulnerability, leading to the development of a patch on April 30 and disclosure in May, giving users time to patch their builds before the vulnerability's existence was made public.

VMware issued a security advisory to customers on May 19. vCloud Director 10.0.x, 9.7.x, 9.5.x, and 9.1.x on Linux machines and PhotonOS appliances are impacted. Versions,,, and include fixes.

TechRepublic: How Zoom plans to better secure meetings with end-to-end encryption

Patches have been made available, alongside a workaround that is listed in the firm's Knowledge Base

VMware thanked Citadelo's Tomáš Melicher and Lukáš Václavík for reporting the vulnerability. In turn, the cybersecurity firm acknowledged VMware's "effort to fix the vulnerability quickly."

"VMware is aware of the vulnerability," VMware told ZDNet. "We issued [a] security advisory to customers on Tuesday, May 19."

Cybersecurity reads for every hacker's bookshelf

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards