⚠ Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..

CVE-2020-4006

CWE-78OS Command InjectionCWE-77Command Injection9 documents8 sources
Severity
9.1CRITICAL
EPSS
12.8%
top 5.96%
CISA KEV
KEV
Added 2021-11-03
Due 2022-05-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
5
Vmware Vrealize Suite Lifecycle ManagerVmware Cloud FoundationVmware Identity Manager+2 more
Timeline
PublishedNov 23
KEV addedNov 3
KEV dueMay 3
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.

Description

VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 2.3 | Impact: 6.0

Affected Packages5 packages

NVDvmware/identity_manager_connector3.3.1, 3.3.2, 3.3.3+2
NVDvmware/identity_manager3.3.1, 3.3.2, 3.3.3+2
NVDvmware/one_access20.01, 20.10+1
NVDvmware/cloud_foundation4.0, 4.0.1+1

🔴Vulnerability Details

3
GHSA
GHSA-hj5r-2q87-qf8g: VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability2022-05-24
CVEList
CVE-2020-4006: VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability2020-11-23
VulnCheck
Multiple VMware Products Command Injection Vulnerability2020

📋Vendor Advisories

2
CISA
Multiple VMware Products Command Injection Vulnerability2021-11-03
VMware
VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address command injection vulnerability2020-11-23

🕵️Threat Intelligence

2
Unit42
Threat Brief: VMware Command Injection Vulnerability (CVE-2020-4006)2020-12-10
Unit42
Threat Brief: VMware Command Injection Vulnerability (CVE-2020-4006)2020-12-10