Security News > 2023 > December > VMware fixes critical Cloud Director auth bypass unpatched for 2 weeks
VMware has fixed a critical authentication bypass vulnerability in Cloud Director appliance deployments, a bug that was left unpatched for over two weeks since it was disclosed on November 14th. Cloud Director is a VMware platform that enables admins to manage data centers spread across multiple locations as Virtual Data Centers.
"On an upgraded version of VMware Cloud Director Appliance 10.5, a malicious actor with network access to the appliance can bypass login restrictions when authenticating on port 22 or port 5480," VMware explains.
"This bypass is not present on port 443. On a new installation of VMware Cloud Director Appliance 10.5, the bypass is not present."
"VMware released VMware Security Advisory VMSA-2023-0026 to help customers understand the issue and which upgrade path will fix it," VMware says in a separate advisory.
In June, VMware patched an ESXi zero-day exploited by Chinese cyberspies for data theft and alerted customers to an actively abused critical flaw in the Aria Operations for Networks analytics tool.
VMware discloses critical VCD Appliance auth bypass with no patch.
News URL
Related news
- Critical Cisco ISE Auth Bypass Flaw Impacts Cloud Deployments on AWS, Azure, and OCI (source)
- ASUS warns of critical auth bypass flaw in routers using AiCloud (source)
- Ivanti warns of critical Neurons for ITSM auth bypass flaw (source)
- Unpatched critical bugs in Versa Concerto lead to auth bypass, RCE (source)
- ⚡ Weekly Recap: APT Campaigns, Browser Hijacks, AI Malware, Cloud Breaches and Critical CVEs (source)
- Hewlett Packard Enterprise warns of critical StoreOnce auth bypass (source)