Vmware Vcenter Server vulnerabilities

CVE-2025-41225 [HIGH] CWE-78 CVE-2025-41225: The vCenter Server contains an authenticated command-execution vulnerability. A malicious actor with The vCenter Server contains an authenticated command-execution vulnerability. A malicious actor with privileges to create or modify alarms and run script action may exploit this issue to run arbitrary commands on the vCenter Server.

CVE-2025-41228 [MEDIUM] CWE-79 CVE-2025-41228: VMware ESXi and vCenter Server contain a reflected cross-site scripting vulnerability due to imprope VMware ESXi and vCenter Server contain a reflected cross-site scripting vulnerability due to improper input validation. A malicious actor with network access to the login page of certain ESXi host or vCenter Server URL paths may exploit this issue to steal cookies or redirect to malicious websites.

CVE-2024-38813 [HIGH] CWE-250 CVE-2024-38813: The vCenter Server contains a privilege escalation vulnerability. A malicious actor with network acc The vCenter Server contains a privilege escalation vulnerability. A malicious actor with network access to vCenter Server may trigger this vulnerability to escalate privileges to root by sending a specially crafted network packet.

CVE-2024-38812 [CRITICAL] CWE-122 CVE-2024-38812: The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protoc The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.

CVE-2024-37087 [MEDIUM] CWE-732 CVE-2024-37087: The vCenter Server contains a denial-of-service vulnerability. A malicious actor with network access The vCenter Server contains a denial-of-service vulnerability. A malicious actor with network access to vCenter Server may create a denial-of-service condition.

CVE-2024-37079 [CRITICAL] CWE-787 CVE-2024-37079: vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.

CVE-2024-37080 [CRITICAL] CWE-787 CVE-2024-37080: vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.

CVE-2024-37081 [HIGH] CWE-556 CVE-2024-37081: The vCenter Server contains multiple local privilege escalation vulnerabilities due to misconfigurat The vCenter Server contains multiple local privilege escalation vulnerabilities due to misconfiguration of sudo. An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Server Appliance.

CVE-2024-22274 [HIGH] CWE-94 CVE-2024-22274: The vCenter Server contains an authenticated remote code execution vulnerability. A malicious actor The vCenter Server contains an authenticated remote code execution vulnerability. A malicious actor with administrative privileges on the vCenter appliance shell may exploit this issue to run arbitrary commands on the underlying operating system.

CVE-2024-22275 [MEDIUM] CWE-200 CVE-2024-22275: The vCenter Server contains a partial file read vulnerability. A malicious actor with administrative The vCenter Server contains a partial file read vulnerability. A malicious actor with administrative privileges on the vCenter appliance shell may exploit this issue to partially read arbitrary files containing sensitive data.

CVE-2023-34048 [CRITICAL] CWE-787 CVE-2023-34048: vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC pro vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bounds write potentially leading to remote code execution.

CVE-2023-34056 [MEDIUM] CWE-922 CVE-2023-34056: vCenter Server contains a partial information disclosure vulnerability. A malicious actor with non-a vCenter Server contains a partial information disclosure vulnerability. A malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorized data.

CVE-2023-20894 [HIGH] CWE-787 CVE-2023-20894: The VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the The VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bound write by sending a specially crafted packet leading to memory corruption.

CVE-2023-20892 [HIGH] CWE-787 CVE-2023-20892: The vCenter Server contains a heap overflow vulnerability due to the usage of uninitialized memory i The vCenter Server contains a heap overflow vulnerability due to the usage of uninitialized memory in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may exploit heap-overflow vulnerability to execute arbitrary code on the underlying operating system that hosts vCenter Server.

CVE-2023-20893 [HIGH] CWE-416 CVE-2023-20893: The VMware vCenter Server contains a use-after-free vulnerability in the implementation of the DCERP The VMware vCenter Server contains a use-after-free vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may exploit this issue to execute arbitrary code on the underlying operating system that hosts vCenter Server.

CVE-2023-20895 [HIGH] CWE-787 CVE-2023-20895: The VMware vCenter Server contains a memory corruption vulnerability in the implementation of the DC The VMware vCenter Server contains a memory corruption vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger a memory corruption vulnerability which may bypass authentication.

CVE-2023-20896 [MEDIUM] CWE-125 CVE-2023-20896: The VMware vCenter Server contains an out-of-bounds read vulnerability in the implementation of the The VMware vCenter Server contains an out-of-bounds read vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bounds read by sending a specially crafted packet leading to denial-of-service of certain services (vmcad, vmdird, and vmafdd).

CVE-2022-31697 [MEDIUM] CWE-312 CVE-2022-31697: The vCenter Server contains an information disclosure vulnerability due to the logging of credential The vCenter Server contains an information disclosure vulnerability due to the logging of credentials in plaintext. A malicious actor with access to a workstation that invoked a vCenter Server Appliance ISO operation (Install/Upgrade/Migrate/Restore) can access plaintext passwords used during that operation.

CVE-2022-31698 [MEDIUM] CWE-400 CVE-2022-31698: The vCenter Server contains a denial-of-service vulnerability in the content library service. A mali The vCenter Server contains a denial-of-service vulnerability in the content library service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to trigger a denial-of-service condition by sending a specially crafted header.

CVE-2022-31680 [CRITICAL] CWE-502 CVE-2022-31680: The vCenter Server contains an unsafe deserialisation vulnerability in the PSC (Platform services co The vCenter Server contains an unsafe deserialisation vulnerability in the PSC (Platform services controller). A malicious actor with admin access on vCenter server may exploit this issue to execute arbitrary code on the underlying operating system that hosts the vCenter Server.