Security News > 2023 > December > VMware fixes critical Cloud Director auth bypass unpatched for 2 weeks
VMware has fixed a critical authentication bypass vulnerability in Cloud Director appliance deployments, a bug that was left unpatched for over two weeks since it was disclosed on November 14th. Cloud Director is a VMware platform that enables admins to manage data centers spread across multiple locations as Virtual Data Centers.
"On an upgraded version of VMware Cloud Director Appliance 10.5, a malicious actor with network access to the appliance can bypass login restrictions when authenticating on port 22 or port 5480," VMware explains.
"This bypass is not present on port 443. On a new installation of VMware Cloud Director Appliance 10.5, the bypass is not present."
"VMware released VMware Security Advisory VMSA-2023-0026 to help customers understand the issue and which upgrade path will fix it," VMware says in a separate advisory.
In June, VMware patched an ESXi zero-day exploited by Chinese cyberspies for data theft and alerted customers to an actively abused critical flaw in the Aria Operations for Networks analytics tool.
VMware discloses critical VCD Appliance auth bypass with no patch.