Connect with us

Hi, what are you looking for?



Chinese Spies Exploited VMware vCenter Server Vulnerability Since 2021

CVE-2023-34048, a vCenter Server vulnerability patched in October 2023, had been exploited as zero-day for a year and a half.

VMware vulnerability

Evidence suggests that a Chinese cyberespionage group had been exploiting a recent VMware vCenter Server vulnerability as a zero-day since 2021, Mandiant reports.

The flaw, tracked as CVE-2023-34048 (CVSS score of 9.8), is an out-of-bounds write bug in VMware’s implementation of the DCERPC protocol that could allow an attacker with network access to execute arbitrary code remotely.

VMware released patches for the vulnerability in October, noting that, due to the severity of the bug and the lack of workarounds, it had decided to make the fix available for product versions that reached end-of-life (EoL) status as well.

Last week, the virtualization technology company updated its advisory to warn that it was aware of in-the-wild exploitation of CVE-2023-34048, without providing specific information on the observed attacks.

On Friday, cybersecurity firm Mandiant, which is part of Google Cloud, revealed that the exploitation of CVE-2023-34048 likely started a year and a half ago, and that a sophisticated China-linked espionage group tracked as UNC3886 is responsible for it.

“UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example further demonstrates their capabilities,” the cybersecurity firm said.

Mandiant’s analysis of the attack path exploiting CVE-2023-20867 revealed the presence of specific entries in the VMware service crash logs, showing that the ‘vmdird’ service would crash shortly before the attacker backdoors were deployed.

“Analysis of the core dump of vmdird by both Mandiant and VMware Product Security showed that the process crashing is closely aligned with the exploitation of CVE-2023-34048,” Mandiant noted.

Advertisement. Scroll to continue reading.

The same crashes, Mandiant pointed out, were observed across multiple UNC3886 intrusions starting late 2021, “leaving a window of roughly a year and a half that this attacker had access to this vulnerability”.

The cybersecurity firm also observed that the attackers removed the ‘vmdird’ core dumps from the compromised environments, to cover their tracks, albeit the log entries were preserved.

VMware patched the vulnerability in vCenter version 8.0U2 and made the fixes available for vCenter Server versions 8.0U1, 7.0U3, 6.7U3, 6.5U3, and VCF 3.x, as well as for Async vCenter Server VCF 5.x and 4.x deployments.

VMware customers are advised to apply the available patches as soon as possible.

Related: VMware Urges Customers to Patch Critical Aria Automation Vulnerability

Related: Critical Authentication Bypass Flaw in VMware Cloud Director Appliance

Related: Exploit Code Published for Critical-Severity VMware Security Defect

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.