Critical VMware Zero-Day Affects 6 Product Lines; No patch available

November 27, 2020
min read
Advisory Vulnerability Intelligence
Vendor VMware
CVSS  9.1/10 
CVE 2020-4006
Target Linux/Windows system
Outcome Privilege Escalation/Command Injection
Patch Availability No vendor patches available as of now


There is a zero-day bug, command injection with escalated privileges, affecting six product lines from VMware, there is no vendor patch available yet. [/vc_wp_text][vc_column_text]

Critical VMware Zero-Day Bug

An attacker with network access to administrative configurator on port 8443 , as an outcome of initial compromise of the service via brute-forcing/Dictionary/Password spraying, can execute system level commands with unrestricted privileges on the underlying operating system.


Affected Products

  • VMware Workspace One Access (Access)
  • VMware Workspace One Access Connector (Access Connector)
  • VMware Identity Manager (vIDM)
  • VMware Identity Manager Connector (vIDM Connector)
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager

Affected versions

  • VMware Workspace One Access    20.10 (Linux)
  • VMware Workspace One Access    20.01 (Linux)
  • VMware Identity Manager   3.3.3 (Linux)
  • VMware Identity Manager    3.3.2 (Linux)
  • VMware Identity Manager    3.3.1 (Linux)
  • VMware Identity Manager Connector 3.3.2, 3.3.1 (Linux)
  • VMware Identity Manager Connector 3.3.3, 3.3.2, 3.3.1 (Windows)



Technical Impact

  • Once the admin configurator is compromised, an attacker can execute OS commands with unrestricted privilege.
  • Attackers can then implant a backdoor on the target system for later access.
  • The entire network can be compromised via a single compromised system in the network domain.
  • Attackers can initiate a full recon and carry out lateral movement across the network.


Business Impact

  • Loss of confidentiality, integrity, and availability of data and other concerned services.
  • Security incidents tarnish business-client relationships. 
  • Businesses can fall prey to money extortion demands from attacker groups.



The vendor has not published any patches.



No items found.