Cyber Resilience

CVE-2020-4006

CriticalCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 23 November 2020

Published
23 November 2020
Modified
30 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.1363 94.4th percentile
Risk Priority 46 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-4006 is a critical-severity OS Command Injection (CWE-78) vulnerability in Vmware Identity Manager Connector. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 5.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector contain a command injection vulnerability tracked as CVE-2020-4006 and assigned CWE-78. The flaw received a CVSS 3.1 base score of 9.1 reflecting a network-accessible attack with low complexity that requires high privileges yet produces high impact on confidentiality, integrity, and availability with changed scope.

An authenticated administrator can supply crafted input that results in arbitrary command execution on the affected appliance, allowing full control over the system and any connected resources. Because the vulnerability is remotely exploitable without user interaction, successful exploitation can lead to complete compromise of the identity-management environment.

The official VMware advisory VMSA-2020-0027 provides mitigation guidance and patch information, while the U.S. CISA Known Exploited Vulnerabilities catalog lists the issue as actively used in the wild, underscoring the need for immediate remediation.

EU & UK References

Vulnerability details

VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
identity manager
3.3.1, 3.3.2, 3.3.3
vmware
identity manager connector
3.3.1, 3.3.2, 3.3.3
vmware
one access
20.01, 20.10
vmware
cloud foundation
4.0, 4.0.1
vmware
vrealize suite lifecycle manager
8.0 — 8.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the crafted input that triggers arbitrary command execution (CWE-78) before the appliance processes it.

prevent

Limits the high-privilege administrator accounts that are required to reach the vulnerable command-injection code path.

prevent

Requires prompt application of the VMware patches listed in VMSA-2020-0027 that eliminate the command-injection flaw.

References