Security News > 2023 > December > VMware fixes critical Cloud Director auth bypass unpatched for 2 weeks
VMware has fixed a critical authentication bypass vulnerability in Cloud Director appliance deployments, a bug that was left unpatched for over two weeks since it was disclosed on November 14th. Cloud Director is a VMware platform that enables admins to manage data centers spread across multiple locations as Virtual Data Centers.
"On an upgraded version of VMware Cloud Director Appliance 10.5, a malicious actor with network access to the appliance can bypass login restrictions when authenticating on port 22 or port 5480," VMware explains.
"This bypass is not present on port 443. On a new installation of VMware Cloud Director Appliance 10.5, the bypass is not present."
"VMware released VMware Security Advisory VMSA-2023-0026 to help customers understand the issue and which upgrade path will fix it," VMware says in a separate advisory.
In June, VMware patched an ESXi zero-day exploited by Chinese cyberspies for data theft and alerted customers to an actively abused critical flaw in the Aria Operations for Networks analytics tool.
VMware discloses critical VCD Appliance auth bypass with no patch.
News URL
Related news
- Juniper patches critical auth bypass in Session Smart routers (source)
- Moxa Issues Fix for Critical Authentication Bypass Vulnerability in PT Switches (source)
- GitLab patches critical authentication bypass vulnerabilities (source)
- Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks (source)
- Critical Next.js auth bypass vulnerability opens web apps to compromise (CVE-2025-29927) (source)
- Critical flaw in Next.js lets hackers bypass authorization (source)
- Broadcom warns of authentication bypass in VMware Windows Tools (source)
- Update VMware Tools for Windows Now: High-Severity Flaw Lets Hackers Bypass Authentication (source)
- Critical auth bypass bug in CrushFTP now exploited in attacks (source)