CVE-2020-3992

CVE-2020-3992 is a critical-severity vulnerability in Vmware Cloud Foundation with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-416.

Key facts

Description

OpenSLP as used in VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202010401-SG, 6.5 before ESXi650-202010401-SG) has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.

CVE-2020-3992: VMware ESXi OpenSLP Use-After-Free Remote Code Execution

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE CVE-2020-3992
CWE CWE-416: Use After Free
CVSS v3 9.8 (Critical)
EPSS 83.0% (0.83015)
KEV Yes (added 2021-11-03)
Ransomware Yes

Summary

CVE-2020-3992 is a critical use-after-free vulnerability in the OpenSLP service bundled with VMware ESXi. A malicious actor with network access to TCP port 427 on an ESXi host can trigger memory corruption, leading to unauthenticated remote code execution with root-level privileges on the hypervisor.

Background

OpenSLP (Open Service Location Protocol) is an open-source implementation of the Service Location Protocol (SLP, RFC 2608) used for service discovery within local networks. VMware ESXi includes an OpenSLP daemon that listens on TCP and UDP port 427 to advertise and discover services on the management network. Because the daemon runs as part of the ESXi operating system, compromising it grants an attacker full control over the hypervisor and potentially all guest virtual machines hosted on it.

Root Cause

The vulnerability is classified as CWE-416: Use After Free. The OpenSLP daemon in affected ESXi versions fails to properly manage the lifecycle of dynamically allocated memory objects during SLP message parsing. Specifically, when processing malformed or specially crafted SLP requests, a memory buffer is freed prematurely while a pointer to that buffer remains valid and is subsequently dereferenced. This dangling-pointer condition corrupts the heap and can be leveraged to hijack control flow, bypassing modern mitigations due to the daemon's execution context.

Impact

The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H yields a base score of 9.8 (Critical):

  • Attack Vector (AV:N): The vulnerability is exploitable from the network via TCP/427 on the management network.
  • Attack Complexity (AC:L): Low complexity; no special conditions beyond network reachability are required.
  • Privileges Required (PR:N): None; the attacker needs no credentials.
  • User Interaction (UI:N): None; fully automated exploitation is possible.
  • Scope (S:U): The vulnerable component is the ESXi host itself; impact does not extend to other managed resources via the same vulnerability.
  • Confidentiality, Integrity, Availability (C:H/I:H/A:H): Successful exploitation results in complete loss of confidentiality, integrity, and availability of the hypervisor.

Because ESXi is a bare-metal hypervisor, compromise at this layer implies potential compromise of all guest workloads, storage networks, and management planes attached to the host.

Exploitation Walkthrough

Ethics Caveat: The following description is intentionally high-level and defensive in nature. It is provided to help defenders understand attacker tradecraft and build detections, not to enable unauthorized access.

An attacker positioned on the ESXi management network (or able to route traffic to TCP port 427) crafts a malformed SLP request that triggers the use-after-free condition. The typical flow involves:

  1. Service Discovery: The attacker probes TCP/427 to confirm the OpenSLP daemon is active.
  2. Heap Grooming: A sequence of SLP requests is sent to shape the heap layout, increasing the reliability of landing a controlled object in the freed slot.
  3. Trigger: A final malformed request causes the dangling pointer to be dereferenced, redirecting execution to attacker-controlled shellcode or a Return-Oriented Programming (ROP) chain.
  4. Post-Exploitation: With code execution in the context of the root user, the attacker can drop implants, exfiltrate virtual machine disk images, or pivot into the vCenter management plane.

Real-world exploitation of this flaw has been linked to ransomware campaigns, where compromised ESXi hosts were used to encrypt guest virtual machines at scale.

Affected and Patched Versions

Affected Patched
VMware ESXi 7.0 before ESXi_7.0.1-0.0.16850804 ESXi_7.0.1-0.0.16850804 and later
VMware ESXi 6.7 before ESXi670-202010401-SG ESXi670-202010401-SG and later
VMware ESXi 6.5 before ESXi650-202010401-SG ESXi650-202010401-SG and later
VMware Cloud Foundation (affected versions) Apply corresponding ESXi patches

Remediation

Primary: Upgrade ESXi to the patched build listed above. VMware released VMSA-2020-0023 with detailed patch instructions.

Compensating Controls (if patching is delayed):

  • Restrict network access to TCP/427 and UDP/427 on ESXi hosts to only trusted management stations and vCenter appliances.
  • Implement VLAN segmentation to isolate the ESXi management network from general user traffic.
  • Disable the OpenSLP service if service discovery is not required (consult VMware documentation for impact).
  • Enable lockdown mode on ESXi hosts to limit management interfaces.
  • Monitor for unexpected SLP traffic or connections to port 427 from non-management hosts.

Detection

  • Network: Monitor for anomalous SLP traffic (port 427) originating from untrusted subnets or showing abnormal request sizes and frequencies.
  • Host: Review ESXi host logs (/var/log/syslog.log, /var/log/vmkernel.log) for SLP daemon crashes or memory fault indicators.
  • IDS/IPS: Ensure signatures for SLP heap-corruption exploit attempts are active on management-network sensors.
  • Behavioral: Alert on unexpected authentication or command execution patterns on ESXi hosts following SLP connections.

Assessment

CVE-2020-3992 is a textbook example of why network-facing services on hypervisors must be minimal and tightly controlled. With an EPSS of 83.0% and a KEV entry dated 2021-11-03, this flaw is not merely theoretical—it has been actively exploited by ransomware operators for years. The high EPSS percentile (99.6%) indicates that exploitation probability is near the top of all published CVEs.

Lessons:

  1. Reduce Attack Surface: If a service like OpenSLP is not essential, it should be disabled or firewalled by default. Hypervisors are high-value targets; every open port is a liability.
  2. Patch Velocity Matters: The gap between disclosure (October 2020) and KEV cataloging (November 2021) gave attackers ample time to weaponize this flaw. Organizations with slow patching cycles on infrastructure components face disproportionate risk.

References

Frequently asked questions

What is CVE-2020-3992?
OpenSLP as used in VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202010401-SG, 6.5 before ESXi650-202010401-SG) has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.
How severe is CVE-2020-3992?
CVE-2020-3992 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2020-3992 being actively exploited?
Yes. CVE-2020-3992 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2020-3992?
CVE-2020-3992 primarily affects Vmware Cloud Foundation. In total, 223 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2020-3992?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2020-3992 have an EU (EUVD) identifier?
Yes. CVE-2020-3992 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2020-25257. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2020-3992 published?
CVE-2020-3992 was published on 2020-10-20 and last updated on 2026-06-17.

References

Affected products (223)

More vulnerabilities in Vmware Cloud Foundation

All CVEs affecting Vmware Cloud Foundation →

Other CWE-416 (Use After Free) vulnerabilities

Browse all CWE-416 (Use After Free) vulnerabilities →