Security News > 2020 > November > VMware discloses critical zero-day vulnerability in Workspace One
VMware has released a workaround to address a critical zero-day in multiple VMware Workspace One components that allows attackers to execute commands on the host Linux and Windows operating systems using escalated privileges.
The vulnerability tracked as CVE-2020-4006 is a command injection bug - with a 9.1/10 CVSSv3 severity rating - found in the administrative configurator of some releases of VMware Workspace ONE Access, Access Connector, Identity Manager, and Identity Manager Connector.
While VMware is still working on releasing security updates to address the zero-day vulnerability, the company does provide admins with a temporary workaround designed to fully remove the attack vector on affected systems and prevent exploitation of CVE-2020-4006.
"Impacts are limited to functionality performed by this service," VMware adds.
Full details on how to implement and revert the workarounds on Linux-based appliances and Windows-based servers are available HERE. The Cybersecurity and Infrastructure Security Agency also urges admins and users to apply the workarounds issued by VMware to block attackers from potentially taking over impacted systems.
News URL
Related news
- Critical SailPoint IdentityIQ Vulnerability Exposes Files to Unauthorized Access (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
- Cleo patches critical zero-day exploited in data theft attacks (source)
- Critical OpenWrt Vulnerability Exposes Devices to Malicious Firmware Injection (source)
- BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products (source)
- BeyondTrust fixes critical vulnerability in remote access, support solutions (CVE-2024-12356) (source)
- Hackers Exploiting Critical Fortinet EMS Vulnerability to Deploy Remote Access Tools (source)
- Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS — Patch Now (source)
- Zero-Day Vulnerability in Ivanti VPN (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-23 | CVE-2020-4006 | OS Command Injection vulnerability in VMWare products VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability. | 9.1 |