Cyber Resilience

CVE-2023-34048

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 25 October 2023

Published
25 October 2023
Modified
30 October 2025
KEV Added
22 January 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9321 99.8th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-34048 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Vmware Vcenter Server. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).

Deeper analysis

vCenter Server contains an out-of-bounds write vulnerability in its DCERPC protocol implementation. The flaw is tracked as CVE-2023-34048 and carries a CVSS v3.1 score of 9.8, reflecting network-accessible attack complexity that requires no authentication or user interaction.

A malicious actor with network access to vCenter Server can trigger the out-of-bounds write to achieve remote code execution on the affected system. The vulnerability is also catalogued under CWE-787.

VMware has published advisory VMSA-2023-0023 detailing the issue, and CISA lists CVE-2023-34048 in its Known Exploited Vulnerabilities catalog. The associated EPSS score has remained at a peak of 0.9321 since disclosure, indicating sustained exploitation interest.

EU & UK References

Vulnerability details

vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bounds write potentially leading to remote code execution.

CWE(s)
KEV Date Added
22 January 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
vcenter server
7.0, 8.0 · 4.0 — 5.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that eliminate the DCERPC out-of-bounds write before exploitation can occur.

prevent

Enforces boundary protection and traffic filtering to block unauthorized network access to vCenter, eliminating the attack vector required by the CVE.

prevent

Enforces access-control decisions on network connections and services, limiting which hosts or accounts can reach the vulnerable DCERPC implementation.

References