CVE-2019-5544

CRITICAL KEV RANSOMWARE NUCLEI

VMware Horizon DaaS 8.0.0-8.9.9 - Heap Overflow via OpenSLP

Title source: llm

Exploitation Summary

CVE-2019-5544 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021, with confirmed use in ransomware campaigns. EIP tracks 2 public exploits from researchers including dgh05t, HynekPetrak. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains proof-of-concept exploits for CVE-2019-5544 and CVE-2020-3992, both targeting VMware ESXi's OpenSLP service. The exploits leverage heap overflow and memory corruption vulnerabilities to potentially achieve remote code execution or denial of service.

Description

OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

Exploits (2)

nomisec WORKING POC 68 stars

by dgh05t · dos

https://github.com/dgh05t/VMware_ESXI_OpenSLP_PoCs

View Code ZIP pw:eip

This repository contains proof-of-concept exploits for CVE-2019-5544 and CVE-2020-3992, both targeting VMware ESXi's OpenSLP service. The exploits leverage heap overflow and memory corruption vulnerabilities to potentially achieve remote code execution or denial of service.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Theoretical

Target: VMware ESXi (OpenSLP service)

No auth needed

Prerequisites: Network access to the target's OpenSLP service (port 427)

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 49 stars

by HynekPetrak · infoleak

https://github.com/HynekPetrak/CVE-2019-5544_CVE-2020-3992

View Code ZIP pw:eip

This repository contains a Python script that scans for OpenSLP services, which may be vulnerable to CVE-2019-5544 and CVE-2020-3992. The script uses the Scapy library to send SLP protocol packets and detect services, but it does not exploit the vulnerabilities.

Classification

Scanner 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: VMware ESXi with OpenSLP service

No auth needed

Prerequisites: Network access to target systems · Python 3 and Scapy library installed

MITRE ATT&CK

T1046 - Network Service Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

VMware ESXi SLP - Heap Overflow DoS

CRITICALVERIFIEDby riteshs4hu

Shodan: http.title:"horizon daas"

FOFA: title="horizon daas"

References (9)

Core 9

Core References

Patch, Vendor Advisory x_refsource_confirm

http://www.vmware.com/security/advisories/VMSA-2019-0022.html

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2019/12/10/2

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2019/12/11/2

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:4240

Release Notes vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZPXXJZLPLAQULBCJVI5NNWZ3PGWXGXWG/

Release Notes vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DA3LYAJ2NRKMOZLZOQNDJ5TNQRFMWGHF/

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2020:0199

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/202005-12

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-5544

Scores

CVSS v3 9.8

EPSS 0.9682

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2021-11-03

VulnCheck KEV 2020-11-11

InTheWild.io 2021-07-23

ENISA EUVD EUVD-2019-15119

Ransomware Use Confirmed

CWE

CWE-787

Status published

Products (21)

fedoraproject/fedora 30

fedoraproject/fedora 31

openslp/openslp < 2.0.0

redhat/enterprise_linux_desktop 6.0

redhat/enterprise_linux_desktop 7.0

redhat/enterprise_linux_for_ibm_z_systems 6.0_s390x

redhat/enterprise_linux_for_ibm_z_systems 7.0_s390x

redhat/enterprise_linux_for_ibm_z_systems_eus 7.7_s390x

redhat/enterprise_linux_for_power_big_endian 6.0_ppc64

redhat/enterprise_linux_for_power_big_endian 7.0_ppc64

... and 11 more

Published Dec 06, 2019

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026