The US National Security Agency (NSA) on Monday issued an advisory warning that Russian threat actors are leveraging recently disclosed VMware vulnerability to install malware on corporate systems and access protected data.

Specifics regarding the identities of the threat actor exploiting the VMware flaw or when these attacks started were not disclosed.

The development comes two weeks after the virtualization software company publicly disclosed the flaw—affecting VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector products for Windows and Linux—without releasing a patch and three days after releasing a software update to fix it.


In late November, VMware pushed temporary workarounds to address the issue, stating permanent patches for the flaw were "forthcoming." But it wasn't until December 3rd the escalation-of-privileges bug was entirely resolved.

That same day, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a brief bulletin encouraging administrators to review and apply and patch as soon as possible.

Tracked as CVE-2020-4006, the command injection vulnerability was originally given a CVSS score of 9.1 out of a maximum of 10 but was revised last week to 7.2 to reflect the fact that a malicious actor must possess valid credentials for the configurator admin account in order to attempt exploitation.

"This account is internal to the impacted products and a password is set at the time of deployment," VMware said in its advisory. "A malicious actor must possess this password to attempt to exploit CVE-2020-4006."

Although VMware didn't explicitly mention the bug was under active exploitation in the wild, according to the NSA, adversaries are now leveraging the flaw to launch attacks to pilfer protected data and abuse shared authentication systems.


"The exploitation via command injection led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services, which in turn granted the actors access to protected data," the agency said.

SAML or Security Assertion Markup Language is an open standard and an XML-based markup for exchanging authentication and authorization data between identity providers and service providers to facilitate single sign-on (SSO).

Besides urging organizations to update affected systems to the latest version, the agency also recommended securing the management interface with a strong, unique password.

Furthermore, the NSA advised enterprises to regularly monitor authentication logs for anomalous authentications as well as scan their server logs for the presence of "exit statements" that can suggest possible exploitation activity.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.