cbcvebase.
CVE-2020-3956
published 2020-05-20

CVE-2020-3956: VMware Cloud Director 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4 do not properly handle input leading…

PriorityP273high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
21.10%
97.3th percentile
VMware Cloud Director 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4 do not properly handle input leading to a code injection vulnerability. An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.

Affected

4 ranges
VendorProductVersion rangeFixed in
vmwarevcloud_director>= 10.0.0.0 < 10.0.0.210.0.0.2
vmwarevcloud_director>= 9.1.0.0 < 9.1.0.49.1.0.4
vmwarevcloud_director>= 9.5.0.0 < 9.5.0.69.5.0.6
vmwarevcloud_director>= 9.7.0.0 < 9.7.0.59.7.0.5

Detection & IOCsextracted from sources · hover to see the quote

command${''.getClass().forName('java.io.BufferedReader').getDeclaredConstructors()[1].newInstance(''.getClass().forName('java.io.InputStreamReader').getDeclaredConstructors()[3].newInstance(''.getClass().forName('java.lang.ProcessBuilder').getDeclaredConstructors()[0].newInstance(['bash','-c','echo COMMAND|base64 -di|bash|base64 -w 0']).start().getInputStream())).readLine()}
cookievcloud_jwt=
path/api/admin/
bytes
|3a|Host|3e 24 7b|
bytes
.getDeclaredConstructors|28 29 5b|
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible VMware Cloud Director RCE Attempt (CVE-2020-3956)"; flow:established,to_server; flowbits:set,ET.20203956; http.method; content:"PUT"; http.cookie; content:"vcloud_jwt="; startswith; http.request_body; content:"|3a|Host|3e 24 7b|"; content:".getDeclaredConstructors|28 29 5b|"; distance:0; fast_pattern; reference:url,citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/; classtype:attempted-admin; sid:2030240; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2020_06_02, cve CVE_2020_3956, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2024_03_14;)
snort
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Successful VMware Cloud Director RCE Attempt (CVE-2020-3956)"; flow:established,to_client; flowbits:isset,ET.20203956; http.stat_code; content:"400"; http.response_body; content:"<Error"; content:"has|20|invalid|20|length|20|for"; fast_pattern; reference:url,citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/; classtype:attempted-admin; sid:2030241; rev:3; metadata:affected_product VMware, attack_target Server, created_at 2020_06_02, cve CVE_2020_3956, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_14;)
  • Exploit is delivered via HTTP PUT request to the vCloud Director admin API email settings endpoint, injecting a malicious Expression Language payload as the SMTP host name value.
  • Requests carry the 'vcloud_jwt' session cookie and 'x-vcloud-authorization' header; monitor for PUT requests to /api/admin/ paths bearing these headers alongside EL injection patterns.
  • A successful exploitation attempt can be detected by a 400 HTTP response containing '<Error' and the string 'has invalid length for' in the response body, paired with the ET.20203956 flowbit being set.
  • The exploit can be triggered through the HTML5-based UI, Flex-based UI, the API Explorer interface, and direct API access — monitor all four attack surfaces.
  • The exploit uses base64-encoded commands piped through bash to evade simple string matching; look for base64 decode patterns in HTTP request bodies alongside the EL injection template.
  • ·The exploit requires valid authenticated credentials; unauthenticated exploitation is not possible. The threat actor must be an authenticated user of the VMware Cloud Director instance.
  • ·The Snort rules use flowbits (ET.20203956) to correlate inbound exploit attempts with outbound error responses; both rules (sid:2030240 and sid:2030241) must be active together for full detection coverage.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.