VMware on Thursday announced releasing patches for a couple of serious ESXi vulnerabilities that were demonstrated at a recent hacking contest in China.
At the 2020 Tianfu Cup International PWN Contest, which took place earlier this month in China, participants earned a total of more than $1.2 million for exploits targeting Chrome, Safari, Firefox, Adobe Reader, Docker, VMware ESXi, CentOS, the iPhone, the Samsung Galaxy S20 phone, Windows, and routers from TP-Link and Asus.
The 360 ESG Vulnerability Research Institute from Chinese cybersecurity company Qihoo 360 earned more than $740,000 of the total, including $180,000 for a VMware ESXi guest to host escape exploit.
VMware was monitoring the event and it immediately started working on patches. The virtualization giant announced the first patches on Thursday, less than two weeks after Tianfu Cup ended.
An advisory published by VMware describes two vulnerabilities that were chained at the hacking competition — it’s unclear if there are other flaws involved as well.
One of the security holes, CVE-2020-4005, is a privilege escalation issue caused by the way certain system calls are managed. This high-severity flaw allows an attacker who has privileges within the VMX process only to elevate permissions on the targeted system.
This vulnerability can be chained with CVE-2020-4004, an issue rated critical that the Qihoo 360 researchers exploited to execute code as the virtual machine’s VMX process running on the host. The flaw is a use-after-free affecting the XHCI USB controller and exploitation requires local admin privileges on the VM.
CVE-2020-4004 affects ESXi, Fusion, Workstation and VMware Cloud Foundation. Patches and updates have been released, except for Cloud Foundation, for which fixes are pending.
In the case of CVE-2020-4005, it impacts ESXi and Cloud Foundation. Fixes are available for ESXi and they are pending for Cloud Foundation.
Google and Mozilla have also patched the Chrome and Firefox vulnerabilities disclosed at the competition.
At last year’s Tianfu Cup, researchers from Qihoo 360 earned $200,000 for a VMware ESXi exploit. The vulnerabilities leveraged for that exploit were also patched by the virtualization giant after roughly two weeks.
VMware this week also patched a series of vulnerabilities in its SD-WAN Orchestrator product that could have allowed an unauthenticated attacker to remotely execute arbitrary code, which researchers say could lead to the shutdown of an enterprise network or traffic steering.
Related: Patch for Critical VMware ESXi Vulnerability Incomplete
Related: VMware Patches Critical Code Execution Vulnerability in ESXi
Related: Google Researcher Finds Vulnerability in VMware Virtualization Products

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
