Security News > 2020 > November > VMware discloses critical zero-day vulnerability in Workspace One
VMware has released a workaround to address a critical zero-day in multiple VMware Workspace One components that allows attackers to execute commands on the host Linux and Windows operating systems using escalated privileges.
The vulnerability tracked as CVE-2020-4006 is a command injection bug - with a 9.1/10 CVSSv3 severity rating - found in the administrative configurator of some releases of VMware Workspace ONE Access, Access Connector, Identity Manager, and Identity Manager Connector.
While VMware is still working on releasing security updates to address the zero-day vulnerability, the company does provide admins with a temporary workaround designed to fully remove the attack vector on affected systems and prevent exploitation of CVE-2020-4006.
"Impacts are limited to functionality performed by this service," VMware adds.
Full details on how to implement and revert the workarounds on Linux-based appliances and Windows-based servers are available HERE. The Cybersecurity and Infrastructure Security Agency also urges admins and users to apply the workarounds issued by VMware to block attackers from potentially taking over impacted systems.
News URL
Related news
- Zero-Day Vulnerability in Ivanti VPN (source)
- Critical zero-days impact premium WordPress real estate plugins (source)
- Cisco fixes ClamAV vulnerability with available PoC and critical Meeting Management flaw (source)
- SonicWall flags critical bug likely exploited as zero-day, rolls out hotfix (source)
- Apple zero-day vulnerability exploited to target iPhone users (CVE-2025-24085) (source)
- Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891) (source)
- Microsoft Patches Critical Azure AI Face Service Vulnerability with CVSS 9.9 Score (source)
- Russian cybercrooks exploiting 7-Zip zero-day vulnerability (CVE-2025-0411) (source)
- PostgreSQL Vulnerability Exploited Alongside BeyondTrust Zero-Day in Targeted Attacks (source)
- Critical PostgreSQL bug tied to zero-day attack on US Treasury (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-23 | CVE-2020-4006 | OS Command Injection vulnerability in VMWare products VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability. | 9.1 |