Security News > 2020 > December > Russian Hackers Exploiting Recently Patched VMware Flaw, NSA Warns
Russian state-sponsored hackers have been exploiting a vulnerability that VMware patched recently in some of its products, the National Security Agency warned on Monday.
The vulnerability is tracked as CVE-2020-4006 and it has been found to impact the VMware Workspace ONE Access identity management product and some related components, including Identity Manager on Linux, vIDM Connector on Windows and Linux, VMware Cloud Foundation and vRealize Suite Lifecycle Manager.
In an advisory published on Monday, the NSA said "Russian state-sponsored malicious cyber actors" have been exploiting CVE-2020-4006, but it has not shared any information on the group that launched the attacks or any of the targets.
The NSA did say that the vulnerability has been exploited as part of an attack that resulted in the attackers gaining access to sensitive data.
"The exploitation via command injection led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services, which in turn granted the actors access to protected data," the NSA said in its advisory.
News URL
Related news
- Ex-NSA boss: Election security focus helped dissuade increase in Russian meddling with US (source)
- Update VMware Tools for Windows Now: High-Severity Flaw Lets Hackers Bypass Authentication (source)
- Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp (source)
- Russian hackers attack Western military mission using malicious drive (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-23 | CVE-2020-4006 | OS Command Injection vulnerability in VMWare products VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability. | 9.1 |