CVE-2020-3956

HIGH

VMware Cloud Director 9.5.0.0-9.5.0.5 - Authenticated Remote Code Execution via Expression Language Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-3956. PoCs published by aaronsvk.

AI-analyzed exploit summary This exploit leverages an Expression Injection vulnerability in VMware vCloud Director to achieve Remote Code Execution (RCE) by injecting a malicious payload into the SMTP host name field. The payload uses Java reflection to execute arbitrary commands on the target system.

Description

VMware Cloud Director 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4 do not properly handle input leading to a code injection vulnerability. An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.

Exploits (2)

exploitdb WORKING POC

by aaronsvk · pythonremotelinux

https://www.exploit-db.com/exploits/48540

View Code ZIP pw:eip

This exploit leverages an Expression Injection vulnerability in VMware vCloud Director to achieve Remote Code Execution (RCE) by injecting a malicious payload into the SMTP host name field. The payload uses Java reflection to execute arbitrary commands on the target system.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: VMware vCloud Director 9.7.0.15498291

Auth required

Prerequisites: Valid credentials for vCloud Director · Network access to the target system

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 89 stars

by aaronsvk · poc

https://github.com/aaronsvk/CVE-2020-3956

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-3956, a remote code execution vulnerability in VMware Cloud Director. The exploit leverages an expression injection flaw in the SMTP host configuration to execute arbitrary commands on the target system.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: VMware Cloud Director 9.7.0.15498291

Auth required

Prerequisites: Valid credentials for VMware Cloud Director · Network access to the target system

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Vendor Advisory x_refsource_misc

https://www.vmware.com/security/advisories/VMSA-2020-0010.html

Exploit, Third Party Advisory x_refsource_misc

https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/

Exploit, Third Party Advisory x_refsource_misc

https://github.com/aaronsvk/CVE-2020-3956

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/157909/vCloud-Director-9.7.0.15498291-Remote-Code-Execution.html

Scores

CVSS v3 8.8

EPSS 0.2110

EPSS Percentile 97.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-917

Status published

Products (1)

vmware/vcloud_director 9.5.0.0 - 9.5.0.6

Published May 20, 2020

Tracked Since Feb 18, 2026