After VMware released security updates for CVE-2020-4006 last week, the National Security Agency (NSA) is now warning that Russian state-sponsored actors are exploiting unpatched systems to deploy web shells and steal information. The vulnerability was initially rated as “critical”, but VMware lowered the severity rating to “important” after releasing a patch and due to the exploit requiring valid credentials for the configurator account. Affected VMware products include:

• VMware Workspace One Access 20.01, 20.10 (Linux)
• VMware Identity Manager (vIDM) 3.3.1 up to 3.3.3 (Linux)
• VMware Identity Manager Connector (vIDM Connector) 3.3.1, 3.3.2 (Linux)
• VMware Identity Manager Connector (vIDM Connector) 3.3.1, 3.3.2, 3.3.3 / 19.03.0.0, 19.03.0.1 (Windows)
• VMware Cloud Foundation 6 4.x
• VMware vRealize Suite Lifecycle Manager 7 8.x

Attacks involving CVE-2020-4006 involved threat actors connecting to exposed web-based management interface of the vulnerable products to install web shells through command injection. If successful, the actors would then steal sensitive data using SAML credentials and attempt to gain access to Microsoft Active Directory Federation Services (ADFS) servers.