Cyber Resilience

CVE-2026-53475

Critical

Published: 10 June 2026

Published
10 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0025 16.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-53475 is a critical-severity Improper Certificate Validation (CWE-295) vulnerability in Kubev2V Assisted Migration Agent. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 16.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw was found in assisted-migration-agent. The application hardcodes insecure Transport Layer Security (TLS) connections when communicating with vCenter. This vulnerability allows a Man-in-the-Middle (MITM) attacker to intercept and harvest vCenter administrator credentials. This can lead to unauthorized access to…

more

vCenter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

Insecure hardcoded TLS enables direct MITM interception of credentials (T1557 Adversary-in-the-Middle).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

kubev2v
assisted migration agent
≤ 2026-06-10

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-295

When certificates are used to establish component provenance, the control requires correct certificate validation procedures.

addresses: CWE-295

Mandates approved trust anchors and issuance policies, directly preventing acceptance of unvalidated or untrusted certificates.

addresses: CWE-295

Correct system time is required for proper enforcement of certificate notBefore/notAfter dates and time-based revocation checks.

References