Security News > 2020 > December > VMware Rolls a Fix for Formerly Critical Zero-Day Bug
VMware has patched a zero-day bug that was disclosed in late November - an escalation-of-privileges flaw that impacts Workspace One and other platforms, for both Windows and Linux operating systems.
VMware has also revised the CVSS severity rating for the bug to "Important," down from critical.
The U.S. Cybersecurity and Infrastructure Security Agency had originally flagged the unpatched security vulnerability on Nov. 23, which affects 12 VMware versions across its Cloud Foundation, Identity Manager, vRealize Suite Lifecycle Manager and Workspace One portfolios.
"A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system," VMware wrote in an updated advisory on Thursday.
While the bug was originally given a 9.1 out of 10 on the CVSS severity scale, further investigation showed that any attacker would need the password mentioned in the update, making it much harder to exploit effectively.
News URL
https://threatpost.com/vmware-fix-critical-zero-day-bug/161896/
Related news
- Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited (source)
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- VMware fixes critical vCenter Server RCE bug – again! (CVE-2024-38812) (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- VMware fixes critical RCE, make-me-root bugs in vCenter - for the second time (source)
- Fortinet warns of new critical FortiManager flaw used in zero-day attacks (source)
- Week in review: Fortinet patches critical FortiManager 0-day, VMware fixes vCenter Server RCE (source)
- Hackers target critical zero-day vulnerability in PTZ cameras (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)