Cyber Resilience

CVE-2020-3952

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 10 April 2020

Published
10 April 2020
Modified
30 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9437 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-3952 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Vmware Vcenter Server. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

The vulnerability tracked as CVE-2020-3952 affects vmdir, a directory service component that ships with VMware vCenter Server as part of an embedded or external Platform Services Controller (PSC). Under certain conditions the component fails to correctly implement access controls, corresponding to CWE-306 (Missing Authentication for Critical Function). The issue received a CVSS 3.1 base score of 9.8.

An unauthenticated attacker with network access can exploit the flaw to bypass authentication entirely, obtaining full read, write, and administrative control over the affected vCenter instance.

The official VMware advisory VMSA-2020-0006 and associated patches address remediation steps, while the vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation. Public exploit code has also been posted to Packet Storm.

EU & UK References

Vulnerability details

Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
vcenter server
6.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization checks on vmdir functions, preventing the unauthenticated administrative access that CVE-2020-3952 permits.

prevent

Requires identification and authentication of organizational users before granting access to the directory service, closing the missing-authentication flaw exploited by the CVE.

prevent

Limits privileges that can be obtained after authentication, reducing the impact of any residual bypass of vmdir access controls.

References