CVE-2019-5544

CVE-2019-5544 is a critical-severity vulnerability in Vmware Horizon Daas with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-787.

Key facts

Description

OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

CVE-2019-5544: OpenSLP Heap Overwrite in VMware ESXi and Horizon DaaS

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE CVE-2019-5544
Published 2019-12-06
CVSS v3 9.8 (Critical)
CVSS v2 7.5
EPSS 0.96823 (99.88th percentile)
KEV Yes (2021-11-03)
Ransomware Yes
CWE CWE-787

Summary

OpenSLP as used in VMware ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware evaluated this as Critical with a maximum CVSSv3 base score of 9.8. The vulnerability allows unauthenticated remote exploitation with low complexity.

Background

OpenSLP (Open Service Location Protocol) is an open-source implementation of the Service Location Protocol used for service discovery in network environments. VMware embedded OpenSLP in its ESXi hypervisor and Horizon DaaS (Desktop as a Service) appliances. The vulnerability was disclosed in December 2019 by VMware.

Root Cause

The vulnerability is classified as CWE-787: Out-of-bounds Write. A heap overwrite occurs in the OpenSLP component when processing network input. This memory corruption allows overwriting heap data beyond the intended buffer boundary, which can lead to complete system compromise.

Impact

The CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 9.8. This indicates:

  • Network Attack Vector (AV:N): Exploitable remotely over the network without local access.
  • Low Attack Complexity (AC:L): No special conditions or advanced techniques are required.
  • No Privileges Required (PR:N): Exploitation does not require authenticated or privileged access.
  • No User Interaction (UI:N): The attack can be executed without any action from a legitimate user.
  • High Impact on Confidentiality, Integrity, and Availability (C:H/I:H/A:H): Successful exploitation results in complete compromise across all three security dimensions.

Exploitation Walkthrough

Ethics Notice: This section is provided for defensive and educational purposes only. Exploitation of vulnerabilities without authorization is illegal and unethical. The following describes how attackers may leverage this flaw so defenders can understand their exposure.

An attacker with network access to the target system can send specially crafted SLP requests to the OpenSLP service on ESXi or Horizon DaaS. The malformed input triggers the heap overwrite condition, potentially allowing the attacker to corrupt heap metadata and achieve complete system compromise. Because no authentication is required and the attack complexity is low, this vulnerability is particularly attractive to automated threat actors and ransomware operators.

Affected and Patched Versions

Based on the CPE data provided:

  • VMware ESXi: Versions 6.0, 6.5, and 6.7 (including numerous patch levels)
  • VMware Horizon DaaS: Affected
  • OpenSLP: OpenSLP project versions
  • Red Hat Enterprise Linux: Desktop 6, 7; Server 6, 7; Workstation 6, 7; and various architecture-specific variants
  • Fedora: Versions 30 and 31

VMware released security advisory VMSA-2019-0022. Red Hat issued patches (RHSA-2019:4240, RHSA-2020:0199). Users should verify their specific build against vendor security advisories.

Remediation

  1. Upgrade Immediately: Apply the latest patches from VMware for ESXi and Horizon DaaS, and from Red Hat/Fedora for Linux distributions. This is a critical-rated vulnerability with active exploitation.
  2. Network Segmentation: Restrict network access to the SLP service to only trusted management hosts. Do not expose SLP to untrusted networks.
  3. Firewall Rules: Block SLP traffic at the network boundary unless specifically required for operations.
  4. Compensating Controls: If immediate patching is not possible, disable the OpenSLP/SLP service if it is not required for business operations, and monitor for suspicious activity.

Detection

  • Network Monitoring: Monitor for anomalous SLP traffic, especially from unexpected source addresses.
  • Endpoint/Hypervisor Logs: Review ESXi hostd.log and system logs for crashes or abnormal behavior in the SLP service.
  • Vulnerability Scanning: Use CVE-2019-5544 detection plugins from approved vulnerability scanners to identify unpatched systems.
  • Network Segmentation Audits: Verify that management interfaces and SLP services are not accessible from untrusted network segments.

Assessment

This vulnerability sits at the intersection of critical technical severity and active real-world exploitation. With an EPSS score of 0.96823 (99.88th percentile) and confirmed inclusion in the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03), the probability of exploitation is extremely high. The ransomware=true flag further indicates this flaw has been weaponized by ransomware groups.

Key Lessons:

  1. Network-Facing Services Require Strict Hardening: A service discovery protocol like SLP should not be exposed to untrusted networks. The low attack complexity and lack of authentication requirements make this a prime target for automated exploitation.
  2. Patch Velocity Matters: The vulnerability was disclosed in December 2019 but exploitation continued for years, as evidenced by its KEV entry in 2021. Organizations running legacy infrastructure or with delayed patching cycles remain at significant risk.

References

Frequently asked questions

What is CVE-2019-5544?
OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
How severe is CVE-2019-5544?
CVE-2019-5544 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2019-5544 being actively exploited?
Yes. CVE-2019-5544 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2019-5544?
CVE-2019-5544 primarily affects Vmware Horizon Daas. In total, 260 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2019-5544?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2019-5544 have an EU (EUVD) identifier?
Yes. CVE-2019-5544 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-15119. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2019-5544 published?
CVE-2019-5544 was published on 2019-12-06 and last updated on 2026-06-17.

References

Affected products (260)

More vulnerabilities in Vmware Horizon Daas

All CVEs affecting Vmware Horizon Daas →

Other CWE-787 (Out-of-bounds Write) vulnerabilities

Browse all CWE-787 (Out-of-bounds Write) vulnerabilities →