VMware Cloud Director Remote Code Execution Vulnerability

On May 19,2020 VMware released an advisory to address Remote Code Execution vulnerability in VMware Cloud DirectorCVE-2020-3956 has assigned to track this vulnerability.

vCloud Director

VMware Cloud Director (formerly known as vCloud Director) is a popular deployment, automation, and management software that’s used to operate and manage cloud resources, allowing businesses to data centers distributed across different geographical locations into virtual data centers


“An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access,”


VMware Cloud Director 10.0.x before

VMware Cloud Director 9.7.x before

VMware Cloud Director 9.5.x before

VMware Cloud Director 9.1.x before

Brief Analysis

Security researchers revealed an EL (Expression Language) based Injection vulnerability that enabled an authenticated actor to send a malicious payload (via API calls or intercepted Web request) that led to

  • privilege escalation — “Organization Administrator” (tenant account) to “System Administrator” (hypervisor)
  • cross tenancy lateral movement
  • sensitive infrastructure information disclosure
  • password and credentials to further privilege escalation

Expression Language (EL) Injection

“Expression Language” (EL) was developed as part of JSTL (Java Server Pages Standard Tag Library) in order to provide the convenience of exporting Object Models (Abstract Types) into JSP (Java Server Pages) view interfaces. After gaining adoption in JSP pages, it’s utility amplified into non-view interfaces as well.

This was a feature provided by framework authors to enable the paradigm of code that generates code.

Using this as an entry point, we will able to access arbitrary Java classes (e.g. “java.io.BufferedReader“) and instantiate them by passing malicious payloads.

Scope of Exposure
  • Public cloud providers using VMware vCloud Director.
  • Private cloud providers using VMware vCloud Director
  • Enterprises using VMware vCloud Director technology
  • Any government identity using VMware Cloud Director


Citadelo made the Technical details available for educational purposes only. They have also published a PoC to demonstrate the vulnerability. An attacker must be authenticated in order to exploit CVE-2020-3956, so it will need Username and Password of vCloud Director.


To remediate CVE-2020-3956 apply the patches recommended by the vendor in VMSA-2020-0010.

VMware Cloud Director

VMware Cloud Director

VMware Cloud Director

VMware Cloud Director


VMware has also released a workaround to mitigate the risk of attacks exploiting the issue.Those that can’t upgrade to a recommended Patched versions, please make sure you have applied the workaround.







Leave a Reply

Your email address will not be published. Required fields are marked *