Security News > 2022 > October > Exploit released for critical VMware RCE vulnerability, patch now
Proof-of-concept exploit code is now available for a pre-authentication remote code execution vulnerability allowing attackers to execute arbitrary code remotely with root privileges on unpatched Cloud Foundation and NSX Manager appliances.
The flaw is in the XStream open-source library used by the two VMware products and was assigned an almost maximum CVSSv3 base score of 9.8/10 by VMware.
VMware released security updates to address the CVE-2021-39144 flaw reported by Sina Kheirkhah of MDSec and Steven Seeley of Source Incite on Tuesday.
VMware has also shared a temporary solution for admins who cannot immediately deploy security updates to patch their appliances.
In August, VMware warned customers of another public PoC exploit targeting a critical authentication bypass security flaw in multiple VMware products, allowing attackers to gain admin privileges on unpatched appliances.
VMware also informed customers who updated to vCenter Server 8.0 this month that they'll have to wait for a patch to address a privilege escalation vulnerability the company disclosed almost a year ago, in November 2021.
News URL
Related news
- Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now (source)
- Critical Erlang/OTP SSH RCE bug now has public exploits, patch now (source)
- Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability (source)
- Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028) (source)
- BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability (source)
- Still Using an Older Version of iOS or iPadOS? Update Now to Patch These Critical Security Vulnerabilities (source)
- Ivanti VPN customers targeted via unrecognized RCE vulnerability (CVE-2025-22457) (source)
- Fortinet Urges FortiSwitch Upgrades to Patch Critical Admin Password Change Flaw (source)
- CISA Warns of CentreStack's Hard-Coded MachineKey Vulnerability Enabling RCE Attacks (source)
- PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-08-23 | CVE-2021-39144 | Deserialization of Untrusted Data vulnerability in multiple products XStream is a simple library to serialize objects to XML and back again. | 8.5 |