Attacker Value
Very High
(4 users assessed)
Very High
(4 users assessed)
User Interaction
Privileges Required
Attack Vector

CVE-2020-3952 - VMware vCenter Server vmdir Information Disclosure

Disclosure Date: April 10, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.


Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.

Add Assessment

Technical Analysis

Technical details on the vuln are out: It’s quite a bit more than information disclosure. Full auth bypass and the ability to add an arbitrary admin user. I’ve confirmed it myself and added a second module.

ETA: I noted the following in an earlier response here:

The data seemed to contain secrets related to VMware’s Security Token Service (STS) for single sign-on (SSO).

So information disclosure is still on the table for obtaining access. Presumably, you would use the STS private key to sign forged SAML tokens used in the STS SSO system. Wanted to update AKB, since we’d been talking about it in work Slack. :)

Hats off to the Guardicore team for their dedicated analysis.

General Information


  • VMware vCenter Server

Additional Info

Technical Analysis