VMware discloses critical zero-day vulnerability in Workspace One

Posted by & filed under Security Alerts.

VMware has released a workaround to address a critical zero-day in multiple VMware Workspace One components that allows attackers to execute commands on the host Linux and Windows operating systems using escalated privileges.

Zero-days are publicly disclosed vulnerabilities not yet patched by the vendor. In some cases, zero-days are also actively exploited in the wild or have publicly available proof-of-concept exploits.

Not all versions are vulnerable

The vulnerability tracked as CVE-2020-4006 is a command injection bug — with a 9.1/10 CVSSv3 severity rating — found in the administrative configurator of some releases of VMware Workspace ONE Access, Access Connector, Identity Manager, and Identity Manager Connector.

“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,” according to VMware’s advisory.

Product versions affected by the CVE-2020-4006 zero-day include:

  • VMware Workspace One Access 20.10 (Linux)
  • VMware Workspace One Access  20.01 (Linux)
  • VMware Identity Manager 3.3.1 up to 3.3.3 (Linux)
  • VMware Identity Manager Connector 3.3.2, 3.3.1 (Linux)
  • VMware Identity Manager Connector 3.3.3, 3.3.2, 3.3.1 (Windows)

Temporary workaround available

While VMware is still working on releasing security updates to address the zero-day vulnerability, the company does provide admins with a temporary workaround designed to fully remove the attack vector on affected systems and prevent exploitation of CVE-2020-4006.

The provided workaround applies ONLY to VMware Workspace One Access, VMware Identity Manager, and VMware Identity Manager Connector according to VMware.

“Impacts are limited to functionality performed by this service,” VMware adds. “Configurator-managed setting changes will not be possible while the workaround is in place.”

“If changes are required please revert the workaround following the instructions below, make the required changes and disable again until patches are available. In addition, most of the system diagnostics dashboard will not be displayed.”

Full details on how to implement and revert the workarounds on Linux-based appliances and Windows-based servers are available HERE.

We urges admins and users to apply the workarounds issued by VMware to block attackers from potentially taking over impacted systems.


The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer., while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.