← back
CVE-2020-3992

CVE-2020-3992

CVSS 9.8 CRITICALEPSS 83.0%● KEVCWE-416
In short

OpenSLP service in VMware ESXi has a memory error that allows attackers on the management network to execute code remotely by sending crafted requests to port 427. This is a critical vulnerability because it gives attackers complete control over the virtualization platform.

Technical detail

A use-after-free vulnerability in OpenSLP allows remote code execution when an attacker with access to port 427 on the management network sends specially crafted packets. The vulnerability requires network access to the ESXi host but no authentication, resulting in arbitrary code execution with hypervisor privileges.

Summary generated and translated by AI from the official description.
OpenSLP as used in VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202010401-SG, 6.5 before ESXi650-202010401-SG) has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · VMware ESXi
public PoCs found2
githubgithub.com/dgh05t/VMware_ESXI_OpenSLP_PoCs67githubgithub.com/HynekPetrak/CVE-2019-5544_CVE-2020-399249
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3992https://www.vmware.com/security/advisories/VMSA-2020-0023.htmlhttps://www.zerodayinitiative.com/advisories/ZDI-20-1377/https://www.zerodayinitiative.com/advisories/ZDI-20-1385/