CVE-2020-3950

HIGH KEV

VMware Fusion <11.5.2 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-3950 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 4 public exploits from researchers including Metasploit, Rich Mirch, h00die, Dhanesh Kizhakkinan, Rich Mirch, jeffball <[email protected]>, grimm, including a Metasploit module exploits/osx/local/vmware_fusion_lpe.

AI-analyzed exploit summary This Metasploit module exploits a setuid binary vulnerability in VMware Fusion (CVE-2020-3950) by creating a hard link to the 'Open VMware USB Arbitrator Service' binary and replacing it with a malicious payload to achieve privilege escalation.

Description

VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for Mac (5.x and prior before 5.4.0) contain a privilege escalation vulnerability due to improper use of setuid binaries. Successful exploitation of this issue may allow attackers with normal user privileges to escalate their privileges to root on the system where Fusion, VMRC or Horizon Client is installed.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalmacos
https://www.exploit-db.com/exploits/48337

This Metasploit module exploits a setuid binary vulnerability in VMware Fusion (CVE-2020-3950) by creating a hard link to the 'Open VMware USB Arbitrator Service' binary and replacing it with a malicious payload to achieve privilege escalation.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: VMware Fusion 10.1.3 - 11.5.3
No auth needed
Prerequisites: Local access to a vulnerable VMware Fusion installation · Ability to execute commands on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Rich Mirch · bashlocalmacos
https://www.exploit-db.com/exploits/48235

This exploit leverages a symlink vulnerability in VMware Fusion to escalate privileges by replacing a service binary with a malicious script that sets the SUID bit on a copy of bash. The attacker gains root access via the compromised service execution.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: VMware Fusion Professional 11.5.1 (15018442) and 11.5.2 (15794494)
No auth needed
Prerequisites: VMware Fusion installed on macOS · Local user access
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
local
https://github.com/mirchr/security-research

The repository contains functional exploit scripts for CVE-2020-3950, a VMware Fusion Elevation of Privilege vulnerability. The PoC script demonstrates the vulnerability by exploiting a local privilege escalation flaw.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: VMware Fusion
No auth needed
Prerequisites: Local access to the vulnerable system
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by h00die, Dhanesh Kizhakkinan, Rich Mirch, jeffball <[email protected]>, grimm · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/vmware_fusion_lpe.rb

This Metasploit module exploits a setuid binary misuse in VMware Fusion (CVE-2020-3950) to achieve local privilege escalation by manipulating the 'Open VMware USB Arbitrator Service' binary path and loading an attacker-controlled payload.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: VMware Fusion 10.1.3 - 11.5.3
Auth required
Prerequisites: Local access to a vulnerable VMware Fusion installation · User-level shell on macOS
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 7.8
EPSS 0.1607
EPSS Percentile 95.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2021-11-03
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2020-25215
CWE
CWE-269
Status published
Products (3)
vmware/fusion 11.0.0 - 11.5.2
vmware/horizon_client 5.0.0 - 5.4.0
vmware/remote_console 11.0.0 - 11.0.1
Published Mar 17, 2020
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026