Recently VMWare released a patch for the flaw tracked as CVE-2020-3950 that affected Fusion, Remote Console (VMRC) and Horizon Client for Mac. However, while the vulnerability has been fixed for VMRC and Horizon Client, the patch does not completely fix the vulnerability for the Fusion product. The researchers credited for finding the vulnerability, “Jeffball” from cybersecurity firm GRIMM and Rich Mirch, say that the original proof of concept (PoC) exploit code, which they have publicly released, still works against Fusion 11.5.2. “VMware USB Arbitrator Service and Open VMware Fusion Services are both setuid root binaries located at /Applications/VMware Fusion.app/Contents/Library/services,” Mirch stated in his description of the PoC exploit. “When executed outside of the standard path the binaries can be tricked into executing a program from a path that the attacker controls. This is achieved by creating a hard link to the original binary. The binaries use part of the attacker-controlled path when executing the service and do not correctly validate that the target binary is legit.”