Security News

VMware has published a series of workarounds for critical command injection vulnerabilities in its Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector products. A command injection vuln could allow malicious people who have network access to the "Administrative configurator on port 8443" together with "a valid password for the configurator admin account" to execute commands with "Unrestricted privileges on the underlying operating system," said VMware.

VMware on Monday published an advisory to inform users that it's working on patching a critical command injection vulnerability affecting Workspace ONE Access and some related components. VMware has not specified if technical details of the vulnerability have been disclosed or if it has been exploited in attacks.

For the second time in less than a week, VMware is warning about a critical vulnerability. As some of these are components of the VMware Cloud Foundation and vRealize Suite Lifecycle Manager product suites, those are impacted as well.

VMware has released temporary workarounds to address a critical vulnerability in its products that could be exploited by an attacker to take control of an affected system. Tracked as CVE-2020-4006, the command injection vulnerability has a CVSS score of 9.1 out of 10 and impacts VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector.

The U.S. Cybersecurity and Infrastructure Security Agency is warning of a zero-day bug affecting six VMware products including its Workspace One, Identity Manager and vRealize Suite Lifecycle Manager. The critical unpatched bug is a command injection vulnerability.

VMware has released a workaround to address a critical zero-day in multiple VMware Workspace One components that allows attackers to execute commands on the host Linux and Windows operating systems using escalated privileges. The vulnerability tracked as CVE-2020-4006 is a command injection bug - with a 9.1/10 CVSSv3 severity rating - found in the administrative configurator of some releases of VMware Workspace ONE Access, Access Connector, Identity Manager, and Identity Manager Connector.

VMware has hurried out fixes for a critical flaw in its ESXi hypervisor, a few weeks after it was found during China's Tianfu Cup hacking competition. 360 ESG Vulnerability Research Institute is the only team to run the entry on VMware ESXi today.

VMware has released security updates to fix critical and high severity vulnerabilities in VMware ESXi, Workstation, Fusion, and Cloud Foundation, allowing for code execution and privilege escalation. One of the security bugs, with a critical severity rating and tracked as CVE-2020-4004, allows attackers with local administrative privileges on a virtual machine to abuse a use-after-free vulnerability in the XHCI USB controller of VMware ESXi, Workstation, and Fusion.

VMware on Thursday announced releasing patches for a couple of serious ESXi vulnerabilities that were demonstrated at a recent hacking contest in China. The 360 ESG Vulnerability Research Institute from Chinese cybersecurity company Qihoo 360 earned more than $740,000 of the total, including $180,000 for a VMware ESXi guest to host escape exploit.

VMware has patched critical vulnerabilities affecting its ESXi enterprise-class hypervisor and has released a security update for its SD-WAN Orchestrator, plugging a handful of serious security holes. Vulnerabilities in ESXi hypervisor exploited during a hacking competition.