Published: 20/11/2020 Updated: 03/12/2020
CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

VMware ESXi, Workstation and Fusion could allow a local authenticated malicious user to gain elevated privileges on the system, caused by an error in the way certain system calls are being managed. An attacker could exploit this vulnerability to gain elevated privileges on the system.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

vmware cloud foundation

vmware esxi 6.5

vmware esxi 6.7

vmware esxi 7.0

Recent Articles

VMware Fixes Critical Flaw in ESXi Hypervisor
Threatpost • Lindsey O'Donnell • 20 Nov 2020

VMware has hurried out fixes for a critical flaw in its ESXi hypervisor, a few weeks after it was found during China’s Tianfu Cup hacking competition.
The use-after-free vulnerability (CVE-2020-4004) has a CVSS score of 9.3 out of 10, making it critical. It exists in the eXtensible Host Controller Interface (xHCI) USB controller of ESXi. XHCI is an interface specification that defines a register-level description of a host controller for USB.
According to VMware in a Thursday ...

VMWare releases fix for critical ESXi, Workstation vulnerability
BleepingComputer • Sergiu Gatlan • 20 Nov 2020

VMware has released security updates to fix critical and high severity vulnerabilities in VMware ESXi, Workstation, Fusion, and Cloud Foundation, allowing for code execution and privilege escalation.
The two vulnerabilities were
 by Qihoo 360 Vulcan Team's Xiao Wei and Tianwen Tang during the first day of the 2020 Tianfu Cup Pwn Contest.
One of the security bugs, with a critical severity rating and tracked as CVE-2020-4004, allows attackers with local administrative priv...

The Register

VMware has revealed and repaired the flaws in its hypervisor discovered at China’s Tianfu Cup white hat hacking competition.
CVE-2020-4004, rated critical due to its 9.3 on the CVSS scale, is described as a “Use-after-free vulnerability in XHCI USB controller”. It allows a malicious actor with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host. The VMX process runs in the VMkernel and is responsible for handli...