CVE-2020-3992
CVE-2020-3992 is a critical-severity vulnerability in Vmware Cloud Foundation with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-416.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 10.0
- EPSS exploit prediction: 83% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2020-25257
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-416
- Affected product: Vmware Cloud Foundation
- Published:
- Last modified:
Description
OpenSLP as used in VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202010401-SG, 6.5 before ESXi650-202010401-SG) has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.
CVE-2020-3992: VMware ESXi OpenSLP Use-After-Free Remote Code Execution
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE | CVE-2020-3992 |
| CWE | CWE-416: Use After Free |
| CVSS v3 | 9.8 (Critical) |
| EPSS | 83.0% (0.83015) |
| KEV | Yes (added 2021-11-03) |
| Ransomware | Yes |
Summary
CVE-2020-3992 is a critical use-after-free vulnerability in the OpenSLP service bundled with VMware ESXi. A malicious actor with network access to TCP port 427 on an ESXi host can trigger memory corruption, leading to unauthenticated remote code execution with root-level privileges on the hypervisor.
Background
OpenSLP (Open Service Location Protocol) is an open-source implementation of the Service Location Protocol (SLP, RFC 2608) used for service discovery within local networks. VMware ESXi includes an OpenSLP daemon that listens on TCP and UDP port 427 to advertise and discover services on the management network. Because the daemon runs as part of the ESXi operating system, compromising it grants an attacker full control over the hypervisor and potentially all guest virtual machines hosted on it.
Root Cause
The vulnerability is classified as CWE-416: Use After Free. The OpenSLP daemon in affected ESXi versions fails to properly manage the lifecycle of dynamically allocated memory objects during SLP message parsing. Specifically, when processing malformed or specially crafted SLP requests, a memory buffer is freed prematurely while a pointer to that buffer remains valid and is subsequently dereferenced. This dangling-pointer condition corrupts the heap and can be leveraged to hijack control flow, bypassing modern mitigations due to the daemon's execution context.
Impact
The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H yields a base score of 9.8 (Critical):
- Attack Vector (AV:N): The vulnerability is exploitable from the network via TCP/427 on the management network.
- Attack Complexity (AC:L): Low complexity; no special conditions beyond network reachability are required.
- Privileges Required (PR:N): None; the attacker needs no credentials.
- User Interaction (UI:N): None; fully automated exploitation is possible.
- Scope (S:U): The vulnerable component is the ESXi host itself; impact does not extend to other managed resources via the same vulnerability.
- Confidentiality, Integrity, Availability (C:H/I:H/A:H): Successful exploitation results in complete loss of confidentiality, integrity, and availability of the hypervisor.
Because ESXi is a bare-metal hypervisor, compromise at this layer implies potential compromise of all guest workloads, storage networks, and management planes attached to the host.
Exploitation Walkthrough
Ethics Caveat: The following description is intentionally high-level and defensive in nature. It is provided to help defenders understand attacker tradecraft and build detections, not to enable unauthorized access.
An attacker positioned on the ESXi management network (or able to route traffic to TCP port 427) crafts a malformed SLP request that triggers the use-after-free condition. The typical flow involves:
- Service Discovery: The attacker probes TCP/427 to confirm the OpenSLP daemon is active.
- Heap Grooming: A sequence of SLP requests is sent to shape the heap layout, increasing the reliability of landing a controlled object in the freed slot.
- Trigger: A final malformed request causes the dangling pointer to be dereferenced, redirecting execution to attacker-controlled shellcode or a Return-Oriented Programming (ROP) chain.
- Post-Exploitation: With code execution in the context of the root user, the attacker can drop implants, exfiltrate virtual machine disk images, or pivot into the vCenter management plane.
Real-world exploitation of this flaw has been linked to ransomware campaigns, where compromised ESXi hosts were used to encrypt guest virtual machines at scale.
Affected and Patched Versions
| Affected | Patched |
|---|---|
| VMware ESXi 7.0 before ESXi_7.0.1-0.0.16850804 | ESXi_7.0.1-0.0.16850804 and later |
| VMware ESXi 6.7 before ESXi670-202010401-SG | ESXi670-202010401-SG and later |
| VMware ESXi 6.5 before ESXi650-202010401-SG | ESXi650-202010401-SG and later |
| VMware Cloud Foundation (affected versions) | Apply corresponding ESXi patches |
Remediation
Primary: Upgrade ESXi to the patched build listed above. VMware released VMSA-2020-0023 with detailed patch instructions.
Compensating Controls (if patching is delayed):
- Restrict network access to TCP/427 and UDP/427 on ESXi hosts to only trusted management stations and vCenter appliances.
- Implement VLAN segmentation to isolate the ESXi management network from general user traffic.
- Disable the OpenSLP service if service discovery is not required (consult VMware documentation for impact).
- Enable lockdown mode on ESXi hosts to limit management interfaces.
- Monitor for unexpected SLP traffic or connections to port 427 from non-management hosts.
Detection
- Network: Monitor for anomalous SLP traffic (port 427) originating from untrusted subnets or showing abnormal request sizes and frequencies.
- Host: Review ESXi host logs (
/var/log/syslog.log,/var/log/vmkernel.log) for SLP daemon crashes or memory fault indicators. - IDS/IPS: Ensure signatures for SLP heap-corruption exploit attempts are active on management-network sensors.
- Behavioral: Alert on unexpected authentication or command execution patterns on ESXi hosts following SLP connections.
Assessment
CVE-2020-3992 is a textbook example of why network-facing services on hypervisors must be minimal and tightly controlled. With an EPSS of 83.0% and a KEV entry dated 2021-11-03, this flaw is not merely theoretical—it has been actively exploited by ransomware operators for years. The high EPSS percentile (99.6%) indicates that exploitation probability is near the top of all published CVEs.
Lessons:
- Reduce Attack Surface: If a service like OpenSLP is not essential, it should be disabled or firewalled by default. Hypervisors are high-value targets; every open port is a liability.
- Patch Velocity Matters: The gap between disclosure (October 2020) and KEV cataloging (November 2021) gave attackers ample time to weaponize this flaw. Organizations with slow patching cycles on infrastructure components face disproportionate risk.
References
Frequently asked questions
- What is CVE-2020-3992?
- OpenSLP as used in VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202010401-SG, 6.5 before ESXi650-202010401-SG) has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.
- How severe is CVE-2020-3992?
- CVE-2020-3992 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2020-3992 being actively exploited?
- Yes. CVE-2020-3992 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2020-3992?
- CVE-2020-3992 primarily affects Vmware Cloud Foundation. In total, 223 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2020-3992?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2020-3992 have an EU (EUVD) identifier?
- Yes. CVE-2020-3992 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2020-25257. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2020-3992 published?
- CVE-2020-3992 was published on 2020-10-20 and last updated on 2026-06-17.
References
- https://www.vmware.com/security/advisories/VMSA-2020-0023.html
- https://www.zerodayinitiative.com/advisories/ZDI-20-1377/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1385/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3992
Affected products (223)
- cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:-:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:2:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201701001:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201703001:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201703002:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201704001:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707101:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707102:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707103:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707201:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707202:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707203:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707204:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707205:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707206:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707207:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707208:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707209:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707210:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707211:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707212:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707213:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707214:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707215:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707216:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707217:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707218:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707219:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707220:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707221:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201710001:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201712001:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201803001:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201806001:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201808001:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201810001:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201810002:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201811001:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201811002:*:*:*:*:*:*
More vulnerabilities in Vmware Cloud Foundation
- CVE-2023-34063 — Critical (CVSS 9.9): Aria Automation contains a Missing Access Control vulnerability. An authenticated malicious actor may exploit this…
- CVE-2024-38812 — Critical (CVSS 9.8): The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious…
- CVE-2024-37079 — Critical (CVSS 9.8): vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor…
- CVE-2023-20864 — Critical (CVSS 9.8): VMware Aria Operations for Logs contains a deserialization vulnerability. An unauthenticated, malicious actor with…
- CVE-2022-22972 — Critical (CVSS 9.8): VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability…
- CVE-2022-22954 — Critical (CVSS 9.8): VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side…
All CVEs affecting Vmware Cloud Foundation →
Other CWE-416 (Use After Free) vulnerabilities
- CVE-2026-13782 — Critical (CVSS 10.0): Use after free in Browser in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the…
- CVE-2026-4725 — Critical (CVSS 10.0): Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149…
- CVE-2026-4688 — Critical (CVSS 10.0): Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox…
- CVE-2025-24085 — Critical (CVSS 10.0): A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18.3 and iPadOS 18.3,…
- CVE-2024-43102 — Critical (CVSS 10.0): Concurrent removals of certain anonymous shared memory mappings by using the UMTX_SHM_DESTROY sub-request of…
- CVE-2021-32495 — Critical (CVSS 10.0): Radare2 has a use-after-free vulnerability in pyc parser's get_none_object function. Attacker can read freed memory…