Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2013-1406

CWE-20 — Improper Input Validation4 documents4 sources

Severity

7.2HIGH

EPSS

0.7%

top 26.99%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Vmware ESX Vmware Esxi Vmware Fusion +2 more

Timeline

PublishedFeb 11

Latest updateMay 17

Description

The Virtual Machine Communication Interface (VMCI) implementation in vmci.sys in VMware Workstation 8.x before 8.0.5 and 9.x before 9.0.1 on Windows, VMware Fusion 4.1 before 4.1.4 and 5.0 before 5.0.2, VMware View 4.x before 4.6.2 and 5.x before 5.1.2 on Windows, VMware ESXi 4.0 through 5.1, and VMware ESX 4.0 and 4.1 does not properly restrict memory allocation by control code, which allows local users to gain privileges via unspecified vectors.

CVSS vector

AV:L/AC:L/C:C/I:C/A:CExploitability: 3.9 | Impact: 10.0

Affected Packages5 packages

▶NVDvmware/esxi4 versions+3

▶NVDvmware/view9 versions+8

▶NVDvmware/fusion6 versions+5

▶NVDvmware/workstation8 versions+7

▶NVDvmware/esx4.0, 4.1+1

🔴Vulnerability Details

GHSA

GHSA-hqcr-m2wp-rwvf: The Virtual Machine Communication Interface (VMCI) implementation in vmci↗2022-05-17

▶

CVEList

CVE-2013-1406: The Virtual Machine Communication Interface (VMCI) implementation in vmci↗2013-02-11

▶

💥Exploits & PoCs

Exploit-DB

VMware Virtual Machine Communication Interface (VMCI) - 'vmci.sys'↗2013-03-06

▶