CVE-2009-3733

EXPLOITED

VMware ESX 3.0.3 and 3.5 and ESXi 3.5 - Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2009-3733 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including Justin Morehouse, including a Metasploit module auxiliary/scanner/vmware/vmware_server_dir_trav.

AI-analyzed exploit summary This Nmap NSE script checks for a directory traversal vulnerability in VMware ESX, ESXi, and Server (CVE-2009-3733) by attempting to access sensitive files via path traversal techniques. It retrieves and parses the vmInventory.xml file to enumerate VM configurations.

Description

Directory traversal vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5 allows remote attackers to read arbitrary files via unspecified vectors.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Justin Morehouse · remotemultiple
https://www.exploit-db.com/exploits/33310

This Nmap NSE script checks for a directory traversal vulnerability in VMware ESX, ESXi, and Server (CVE-2009-3733) by attempting to access sensitive files via path traversal techniques. It retrieves and parses the vmInventory.xml file to enumerate VM configurations.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: VMware ESX, ESXi, and Server
No auth needed
Prerequisites: Network access to VMware management interface (ports 80, 443, 8222, or 8333)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vmware/vmware_server_dir_trav.rb

This Metasploit module exploits a directory traversal vulnerability in VMware Server 1.x/2.x and ESXi/ESX 3.x, allowing remote attackers to read arbitrary files via crafted HTTP requests. It targets ports 8222/8333 and uses URL-encoded traversal sequences to access sensitive files like vmInventory.xml.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: VMware Server 1.x before 1.0.10 build 203137, 2.x before 2.0.2 build 203138, VMware ESXi 3.5, VMware ESX 3.0.3 and 3.5
No auth needed
Prerequisites: Network access to vulnerable VMware service ports (8222/8333)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (10)

Core 10
Core References
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-201209-25.xml
Patch, Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/3062
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1023089
Patch, Vendor Advisory mailing-list x_refsource_mlist
http://lists.vmware.com/pipermail/security-announce/2009/000069.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/36842
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37186
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/507523/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1023088
Patch, Vendor Advisory x_refsource_confirm
http://www.vmware.com/security/advisories/VMSA-2009-0015.html

Scores

EPSS 0.9006
EPSS Percentile 99.6%

Details

VulnCheck KEV 2025-02-27
CWE
CWE-22
Status published
Products (17)
vmware/esx 3.0.3
vmware/esx 3.5
vmware/esxi 3.5
vmware/server 1.0
vmware/server 1.0.1
vmware/server 1.0.1_build_29996
vmware/server 1.0.2
vmware/server 1.0.3
vmware/server 1.0.4
vmware/server 1.0.4_build_56528
... and 7 more
Published Nov 02, 2009
Tracked Since Feb 18, 2026