CVE-2019-5544
CVE-2019-5544 is a critical-severity vulnerability in Vmware Horizon Daas with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-787.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 7.5
- EPSS exploit prediction: 97% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2019-15119
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-787
- Affected product: Vmware Horizon Daas
- Published:
- Last modified:
Description
OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
CVE-2019-5544: OpenSLP Heap Overwrite in VMware ESXi and Horizon DaaS
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE | CVE-2019-5544 |
| Published | 2019-12-06 |
| CVSS v3 | 9.8 (Critical) |
| CVSS v2 | 7.5 |
| EPSS | 0.96823 (99.88th percentile) |
| KEV | Yes (2021-11-03) |
| Ransomware | Yes |
| CWE | CWE-787 |
Summary
OpenSLP as used in VMware ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware evaluated this as Critical with a maximum CVSSv3 base score of 9.8. The vulnerability allows unauthenticated remote exploitation with low complexity.
Background
OpenSLP (Open Service Location Protocol) is an open-source implementation of the Service Location Protocol used for service discovery in network environments. VMware embedded OpenSLP in its ESXi hypervisor and Horizon DaaS (Desktop as a Service) appliances. The vulnerability was disclosed in December 2019 by VMware.
Root Cause
The vulnerability is classified as CWE-787: Out-of-bounds Write. A heap overwrite occurs in the OpenSLP component when processing network input. This memory corruption allows overwriting heap data beyond the intended buffer boundary, which can lead to complete system compromise.
Impact
The CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 9.8. This indicates:
- Network Attack Vector (AV:N): Exploitable remotely over the network without local access.
- Low Attack Complexity (AC:L): No special conditions or advanced techniques are required.
- No Privileges Required (PR:N): Exploitation does not require authenticated or privileged access.
- No User Interaction (UI:N): The attack can be executed without any action from a legitimate user.
- High Impact on Confidentiality, Integrity, and Availability (C:H/I:H/A:H): Successful exploitation results in complete compromise across all three security dimensions.
Exploitation Walkthrough
Ethics Notice: This section is provided for defensive and educational purposes only. Exploitation of vulnerabilities without authorization is illegal and unethical. The following describes how attackers may leverage this flaw so defenders can understand their exposure.
An attacker with network access to the target system can send specially crafted SLP requests to the OpenSLP service on ESXi or Horizon DaaS. The malformed input triggers the heap overwrite condition, potentially allowing the attacker to corrupt heap metadata and achieve complete system compromise. Because no authentication is required and the attack complexity is low, this vulnerability is particularly attractive to automated threat actors and ransomware operators.
Affected and Patched Versions
Based on the CPE data provided:
- VMware ESXi: Versions 6.0, 6.5, and 6.7 (including numerous patch levels)
- VMware Horizon DaaS: Affected
- OpenSLP: OpenSLP project versions
- Red Hat Enterprise Linux: Desktop 6, 7; Server 6, 7; Workstation 6, 7; and various architecture-specific variants
- Fedora: Versions 30 and 31
VMware released security advisory VMSA-2019-0022. Red Hat issued patches (RHSA-2019:4240, RHSA-2020:0199). Users should verify their specific build against vendor security advisories.
Remediation
- Upgrade Immediately: Apply the latest patches from VMware for ESXi and Horizon DaaS, and from Red Hat/Fedora for Linux distributions. This is a critical-rated vulnerability with active exploitation.
- Network Segmentation: Restrict network access to the SLP service to only trusted management hosts. Do not expose SLP to untrusted networks.
- Firewall Rules: Block SLP traffic at the network boundary unless specifically required for operations.
- Compensating Controls: If immediate patching is not possible, disable the OpenSLP/SLP service if it is not required for business operations, and monitor for suspicious activity.
Detection
- Network Monitoring: Monitor for anomalous SLP traffic, especially from unexpected source addresses.
- Endpoint/Hypervisor Logs: Review ESXi hostd.log and system logs for crashes or abnormal behavior in the SLP service.
- Vulnerability Scanning: Use CVE-2019-5544 detection plugins from approved vulnerability scanners to identify unpatched systems.
- Network Segmentation Audits: Verify that management interfaces and SLP services are not accessible from untrusted network segments.
Assessment
This vulnerability sits at the intersection of critical technical severity and active real-world exploitation. With an EPSS score of 0.96823 (99.88th percentile) and confirmed inclusion in the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03), the probability of exploitation is extremely high. The ransomware=true flag further indicates this flaw has been weaponized by ransomware groups.
Key Lessons:
- Network-Facing Services Require Strict Hardening: A service discovery protocol like SLP should not be exposed to untrusted networks. The low attack complexity and lack of authentication requirements make this a prime target for automated exploitation.
- Patch Velocity Matters: The vulnerability was disclosed in December 2019 but exploitation continued for years, as evidenced by its KEV entry in 2021. Organizations running legacy infrastructure or with delayed patching cycles remain at significant risk.
References
- http://www.vmware.com/security/advisories/VMSA-2019-0022.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-5544
- https://access.redhat.com/errata/RHSA-2019:4240
- https://access.redhat.com/errata/RHSA-2020:0199
- https://security.gentoo.org/glsa/202005-12
- http://www.openwall.com/lists/oss-security/2019/12/10/2
- http://www.openwall.com/lists/oss-security/2019/12/11/2
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DA3LYAJ2NRKMOZLZOQNDJ5TNQRFMWGHF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZPXXJZLPLAQULBCJVI5NNWZ3PGWXGXWG/
Frequently asked questions
- What is CVE-2019-5544?
- OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
- How severe is CVE-2019-5544?
- CVE-2019-5544 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2019-5544 being actively exploited?
- Yes. CVE-2019-5544 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2019-5544?
- CVE-2019-5544 primarily affects Vmware Horizon Daas. In total, 260 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2019-5544?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2019-5544 have an EU (EUVD) identifier?
- Yes. CVE-2019-5544 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-15119. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2019-5544 published?
- CVE-2019-5544 was published on 2019-12-06 and last updated on 2026-06-17.
References
- http://www.openwall.com/lists/oss-security/2019/12/10/2
- http://www.openwall.com/lists/oss-security/2019/12/11/2
- http://www.vmware.com/security/advisories/VMSA-2019-0022.html
- https://access.redhat.com/errata/RHSA-2019:4240
- https://access.redhat.com/errata/RHSA-2020:0199
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DA3LYAJ2NRKMOZLZOQNDJ5TNQRFMWGHF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZPXXJZLPLAQULBCJVI5NNWZ3PGWXGXWG/
- https://security.gentoo.org/glsa/202005-12
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-5544
Affected products (260)
- cpe:2.3:a:vmware:horizon_daas:*:*:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:-:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:1:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:1a:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:1b:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:2:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:3:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:3a:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201504401:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201505401:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201507101:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201507102:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201507401:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201507402:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201507403:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201507404:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201507405:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201507406:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201507407:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201509101:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201509102:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201509201:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201509202:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201509203:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201509204:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201509205:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201509206:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201509207:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201509208:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201509209:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201509210:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201510401:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201511401:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201601101:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201601102:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201601401:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201601402:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201601403:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201601404:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.0:600-201601405:*:*:*:*:*:*
More vulnerabilities in Vmware Horizon Daas
- CVE-2018-6960 — High (CVSS 8.8): VMware Horizon DaaS (7.x before 8.0.0) contains a broken authentication vulnerability that may allow an attacker to…
- CVE-2020-3977 — Medium (CVSS 6.5): VMware Horizon DaaS (7.x and 8.x before 8.0.1 Update 1) contains a broken authentication vulnerability due to a flaw in…
- CVE-2017-4897 — Medium (CVSS 5.5): VMware Horizon DaaS before 7.0.0 contains a vulnerability that exists due to insufficient validation of data. An…
All CVEs affecting Vmware Horizon Daas →
Other CWE-787 (Out-of-bounds Write) vulnerabilities
- CVE-2026-42369 — Critical (CVSS 10.0): GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other…
- CVE-2026-4746 — Critical (CVSS 10.0): Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src modules). This vulnerability is…
- CVE-2025-43300 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS…
- CVE-2025-24201 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in…
- CVE-2024-42479 — Critical (CVSS 10.0): llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause…
- CVE-2024-39791 — Critical (CVSS 10.0): Stack-based buffer overflow vulnerabilities affecting Vonets industrial wifi bridge relays and wifi bridge…