CVE-2020-4006

critical

Description

VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability.

From the Tenable Blog

CVE-2020-4006: VMware Command Injection Flaw Exploited by Russian State-Sponsored Threat Actors

CVE-2020-4006: VMware Command Injection Flaw Exploited by Russian State-Sponsored Threat Actors

Published: 2020-12-09

The National Security Agency warns that Russian state-sponsored threat actors are exploiting an important VMware vulnerability in the wild. Background On December 7, the National Security Agency (NSA) published a cybersecurity advisory regarding in-the-wild exploitation, by Russian state-sponsored threat actors, of a vulnerability in several VMware products.

References

https://www.kb.cert.org/vuls/id/724367

https://www.infosecurity-magazine.com/news/broadcom-patches-vmware-nsx-vcenter/

https://www.tenable.com/cyber-exposure/2020-threat-landscape-retrospective

https://media.defense.gov/2020/Dec/07/2002547071/-1/-1/0/CSA_VMWARE%20ACCESS_U_OO_195076_20.PDF

https://www.tenable.com/blog/vmware-patches-multiple-vulnerabilities-in-workspace-one-vmsa-2022-0011

https://www.tenable.com/blog/government-advisories-warn-of-apt-activity-resulting-from-russian-invasion-of-ukraine

https://www.tenable.com/blog/cve-2020-4006-vmware-command-injection-flaw-exploited-by-russian-state-sponsored-threat-actors

https://www.vmware.com/security/advisories/VMSA-2020-0027.html

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-4006

Details

Source: Mitre, NVD

Published: 2020-11-23

Updated: 2025-10-22

Known Exploited Vulnerability (KEV)

Risk Information

CVSS v2

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 9.1

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.20331