CVE-2020-3952: VMware vCenter Server vmdir Information Disclosure

Exploitation Summary

CVE-2020-3952 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 8 public exploits from researchers including Photubias, guardicore, bb33bb, including a Metasploit module auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates an authentication bypass vulnerability in VMware vCenter Server 6.7 by manipulating LDAP packets to create a new user and add it to the Administrators group. It leverages improper access controls in upgraded vCenter instances.

Description

Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.

Exploits (8)

exploitdb WORKING POC

by Photubias · textwebappsmultiple

https://www.exploit-db.com/exploits/48535

View Code ZIP pw:eip

This exploit demonstrates an authentication bypass vulnerability in VMware vCenter Server 6.7 by manipulating LDAP packets to create a new user and add it to the Administrators group. It leverages improper access controls in upgraded vCenter instances.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: VMware vCenter Server 6.7 before update 3f

No auth needed

Prerequisites: vCenter Server 6.7 upgraded from 6.x · Network access to LDAP port (389)

MITRE ATT&CK

T1187 - Forced Authentication T1098 - Account Manipulation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 275 stars

by guardicore · remote

https://github.com/guardicore/vmware_vcenter_cve_2020_3952

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2020-3952, which leverages an LDAP authentication bypass in VMware vCenter to create a new administrative user. The exploit performs an LDAP bind with invalid credentials, adds a new user, and grants it administrator privileges.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: VMware vCenter Server 6.7 (upgraded from previous versions, not clean installs)

No auth needed

Prerequisites: Network access to the vCenter LDAP service (port 389/636) · Python with python-ldap library installed

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1110 - Brute Force

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 7 stars

by bb33bb · poc

https://github.com/bb33bb/CVE-2020-3952

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2020-3952, a remote command injection vulnerability in VMware vCenter Server. The script sends a crafted payload to establish a reverse shell on the target system.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: VMware vCenter Server

No auth needed

Prerequisites: Network access to the target VMware vCenter Server · Target system must be vulnerable to CVE-2020-3952

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec SCANNER 4 stars

by chronoloper · poc

https://github.com/chronoloper/CVE-2020-3952

View Code ZIP pw:eip

This script checks for the presence of CVE-2020-3952 by verifying vCenter upgrade logs and version details via SSH. It does not exploit the vulnerability but confirms susceptibility based on version and upgrade history.

Classification

Scanner 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: VMware vCenter Server (6.7 before 6.7U3f)

Auth required

Prerequisites: SSH access to vCenter as root · Valid root credentials

MITRE ATT&CK

T1087 - Account Discovery T1033 - System Owner/User Discovery

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 3 stars

by Fa1c0n35 · remote

https://github.com/Fa1c0n35/vmware_vcenter_cve_2020_3952

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2020-3952, which leverages an LDAP authentication bypass in VMware vCenter to create a new administrative user. The exploit performs an LDAP bind with invalid credentials, adds a new user, and grants it administrator privileges.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: VMware vCenter Server 6.7 (upgraded from previous versions, not clean installs)

No auth needed

Prerequisites: Network access to the vCenter LDAP service (port 389) · Python with python-ldap library

MITRE ATT&CK

T1110.001 - Password Guessing T1098 - Account Manipulation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by gelim · remote

https://github.com/gelim/CVE-2020-3952

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2020-3952, which targets VMware vCenter Server. The exploit checks for vulnerability by attempting to modify the 'description' attribute of the built-in Administrators group via LDAP, demonstrating the vulnerability without creating an admin user.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: VMware vCenter Server

No auth needed

Prerequisites: Network access to the LDAP service on the target vCenter Server

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC

by Hynek Petrak, JJ Lehmann, Ofri Ziv, wvu · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass.rb

View Code ZIP pw:eip

This Metasploit module exploits an LDAP authentication bypass in VMware vCenter Server's vmdir service (CVE-2020-3952) to add an arbitrary administrator user. It leverages invalid credentials to bypass authentication and then adds a new user to the Administrators group.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: VMware vCenter Server 6.7 (prior to 6.7U3f, if upgraded from 6.0 or 6.5)

No auth needed

Prerequisites: Network access to LDAP service (port 636) · VMware vCenter Server vulnerable to CVE-2020-3952

MITRE ATT&CK

T1556.004 - Network Device Authentication

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC

by Hynek Petrak, wvu · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2020-3952, an information disclosure vulnerability in VMware vCenter Server's vmdir LDAP service. It performs an anonymous or authenticated LDAP bind to dump sensitive data, including password hashes, from vulnerable systems.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: VMware vCenter Server 6.7 (prior to 6.7U3f, if upgraded from 6.0 or 6.5)

No auth needed

Prerequisites: Network access to LDAP port (636/TCP) · Vulnerable VMware vCenter Server version

MITRE ATT&CK

T1003 - OS Credential Dumping

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

VMware vCenter Server LDAP Broken Access Control

CRITICALby 0x_Akoko

References (3)

Core 3

Core References

Broken Link, Vendor Advisory x_refsource_misc

https://www.vmware.com/security/advisories/VMSA-2020-0006

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/157896/VMware-vCenter-Server-6.7-Authentication-Bypass.html

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3952

CVE-2020-3952

VMware vCenter Server vmdir Information Disclosure

Exploitation Summary

Description

Exploits (8)

Nuclei Templates (1)

References (3)

Scores

CISA SSVC

Details