CVE-2020-3952 — VMware vCenter Server Information Disclosure Vulnerability

CVE-2020-3952

VMware vCenter Server — vmdir LDAP Access Control Bypass Exposes All Credentials

What is VMware vCenter Server?

VMware vCenter Server is the centralized management platform for VMware vSphere environments — the hypervisor infrastructure used by the majority of enterprise data centers worldwide. vCenter manages ESXi hosts and all virtual machines running on them, including provisioning, configuration, and access control. Compromising vCenter gives an attacker administrative control over every virtual machine in the environment: they can create/delete VMs, exfiltrate VM disk images, deploy malware to every VM simultaneously, or destroy entire data center environments. The VMware Directory Service (vmdir) is vCenter's built-in LDAP directory that stores all vSphere authentication data.

Overview

CVE-2020-3952 is a missing authentication / access control bypass (CWE-306) in VMware vCenter Server's VMware Directory Service (vmdir). Under certain upgrade conditions, vmdir fails to enforce access controls on its LDAP interface (port 389). An unauthenticated attacker with network access to this port can dump the entire vmdir database — including password hashes for all vCenter users and administrators, SSL certificate private keys, and vSphere configuration data. This provides everything needed to authenticate to vCenter as an administrator and take full control of the virtualization environment.

Affected Versions

Product Vulnerable Fixed
vCenter Server 6.7 Deployments upgraded from 6.x (not fresh installs) 6.7 U3f
vCenter Server 6.5 Specific upgrade scenarios 6.5 U3n

The vulnerability manifests specifically in vCenter installations that were upgraded from an earlier version (6.0 or 6.5) to 6.7, not in fresh 6.7 installations. During the upgrade, a configuration value controlling vmdir's access control mode was not updated correctly, leaving vmdir in a permissive mode.

Technical Details

VMware Directory Service (vmdir) is a custom LDAP directory server built into vCenter that stores the vSphere SSO (Single Sign-On) domain. It runs on the Platform Services Controller (PSC) and listens on port 389 (LDAP) and 636 (LDAPS).

In a correctly configured deployment, vmdir requires authentication before serving directory data. In the vulnerable upgrade scenario, vmdir's access control is set to a permissive mode that allows unauthenticated read access. An attacker can use any standard LDAP client to connect to port 389 and issue ldapsearch queries to dump:

  • All vCenter user accounts and their password hashes
  • vCenter administrator account credentials (hashed, but often crackable)
  • vSphere SSO token signing certificates and private keys
  • Internal configuration data for the vSphere environment

With the SSO signing certificate private key, an attacker can forge SSO tokens and authenticate to vCenter as any user — including administrators — without knowing any passwords.

Discovery

The vulnerability was discovered by VMware's own security team during internal testing of upgrade paths. It was patched on April 10, 2020, with public exploit code appearing shortly after. The specificity of the affected condition (upgraded, not fresh installs) meant some organizations with clean vCenter deployments were not affected, but the majority of enterprise deployments are upgrades.

Exploitation Context

CISA added CVE-2020-3952 to the KEV catalog on November 3, 2021. VMware vCenter is a perennial high-value target: its position as the control plane for entire data center virtualization stacks makes it a prime objective for ransomware operators (who use vCenter access to encrypt all VMs simultaneously), nation-state actors (who extract VM disk images for data exfiltration), and destructive attackers. Public exploit code appeared within days of patch release.

Exploitation of this CVE typically results in:

  • Complete vCenter administrative takeover
  • Mass VM encryption (ransomware deployment to all VMs simultaneously)
  • VM snapshot theft for data exfiltration
  • Persistent ESXi backdoors installed via vCenter (e.g., vSphere Installation Bundle / VIB malware)

Remediation

  1. Upgrade to vCenter Server 6.7 U3f (or 6.5 U3n for older environments) immediately.
  2. Verify if affected: To check if vmdir is in permissive mode, connect to port 389 with an anonymous LDAP bind and attempt a ldapsearch — if it returns data without credentials, vmdir is exposed.
  3. Firewall port 389: Restrict LDAP access to port 389 to known vCenter servers and administrative hosts only — vmdir should never be reachable from general corporate networks or the internet.
  4. Rotate all vCenter credentials: Assume all vCenter user passwords and SSO certificates were exfiltrated if the system was vulnerable and accessible. Rotate all passwords and regenerate SSL certificates.
  5. Audit for compromise: Check vCenter event logs and ESXi host task history for unauthorized VM operations, new admin accounts, or VIB installations around the exposure window.

Key Details

PropertyValue
CVE ID CVE-2020-3952
Vendor / Product VMware — vCenter Server
NVD Published2020-04-10
NVD Last Modified2025-10-30
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-306 find similar ↗
CISA KEV Added2021-11-03
CISA KEV Deadline2022-05-03
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-05-03. Apply updates per vendor instructions.

Timeline

DateEvent
2020-04-10VMware patches CVE-2020-3952 in vCenter Server 6.7 U3f; VMSA-2020-0006 published
2020-04-15Public exploit code appears within days of patch
2021-11-03Added to CISA Known Exploited Vulnerabilities catalog
2022-05-03CISA BOD 22-01 remediation deadline

References

ResourceType
VMware Security Advisory VMSA-2020-0006 Vendor Advisory
NVD — CVE-2020-3952 Vulnerability Database
CISA KEV Catalog Entry US Government