Cyber Resilience

CVE-2020-3992

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 20 October 2020

Published
20 October 2020
Modified
30 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9031 99.6th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-3992 is a critical-severity Use After Free (CWE-416) vulnerability in Vmware Esxi. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2020-3992 is a use-after-free vulnerability (CWE-416) in the OpenSLP service as implemented in VMware ESXi. Affected releases include version 7.0 prior to ESXi_7.0.1-0.0.16850804, 6.7 prior to ESXi670-202010401-SG, and 6.5 prior to ESXi650-202010401-SG. The flaw carries a CVSS 3.1 base score of 9.8.

An unauthenticated attacker located on the management network and able to reach TCP/UDP port 427 can send crafted SLP packets that trigger the use-after-free condition, resulting in remote code execution with full control over the hypervisor.

VMware security advisory VMSA-2020-0023 and corresponding Zero Day Initiative reports ZDI-20-1377 and ZDI-20-1385 identify the issue and direct administrators to apply the listed ESXi updates that contain the corrected OpenSLP implementation. No public reports of in-the-wild exploitation appear in the provided references.

EU & UK References

Vulnerability details

OpenSLP as used in VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202010401-SG, 6.5 before ESXi650-202010401-SG) has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able…

more

to trigger a use-after-free in the OpenSLP service resulting in remote code execution.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
cloud foundation
3.0 — 3.10.1.2 · 4.0 — 4.1.0.1
vmware
esxi
6.5, 6.7, 7.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that remediate the use-after-free flaw in OpenSLP.

prevent

Enforces boundary protection and traffic filtering so that only authorized management-network hosts can reach TCP/UDP 427.

prevent

Requires disabling or removing non-essential services such as the vulnerable OpenSLP listener when it is not required.

References