Security News > 2020 > November > VMware discloses critical zero-day vulnerability in Workspace One
VMware has released a workaround to address a critical zero-day in multiple VMware Workspace One components that allows attackers to execute commands on the host Linux and Windows operating systems using escalated privileges.
The vulnerability tracked as CVE-2020-4006 is a command injection bug - with a 9.1/10 CVSSv3 severity rating - found in the administrative configurator of some releases of VMware Workspace ONE Access, Access Connector, Identity Manager, and Identity Manager Connector.
While VMware is still working on releasing security updates to address the zero-day vulnerability, the company does provide admins with a temporary workaround designed to fully remove the attack vector on affected systems and prevent exploitation of CVE-2020-4006.
"Impacts are limited to functionality performed by this service," VMware adds.
Full details on how to implement and revert the workarounds on Linux-based appliances and Windows-based servers are available HERE. The Cybersecurity and Infrastructure Security Agency also urges admins and users to apply the workarounds issued by VMware to block attackers from potentially taking over impacted systems.
News URL
Related news
- Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks (source)
- Fortinet Rolls Out Critical Security Patches for FortiClientLinux Vulnerability (source)
- Zero-Day Alert: Critical Palo Alto Networks PAN-OS Flaw Under Active Attack (source)
- A critical vulnerability in Delinea Secret Server allows auth bypass, admin access (source)
- Critical Update: CrushFTP Zero-Day Flaw Exploited in Targeted Attacks (source)
- PoC for critical Progress Flowmon vulnerability released (CVE-2024-2389) (source)
- Chrome Zero-Day Alert — Update Your Browser to Patch New Vulnerability (source)
- New Chrome Zero-Day Vulnerability CVE-2024-4761 Under Active Exploitation (source)
- VMware fixes three zero-day bugs exploited at Pwn2Own 2024 (source)
- Google Patches Yet Another Actively Exploited Chrome Zero-Day Vulnerability (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-23 | CVE-2020-4006 | Command Injection vulnerability in VMWare products VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability. | 9.0 |