CVE-2020-3992

CRITICAL KEV RANSOMWARE

VMware ESXi < 7.0.1-0.0.16850804, < 6.7 ESXi670-202010401-SG, < 6.5 ESXi650-202010401-SG - Use-After-Free in OpenSLP

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-3992 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021, with confirmed use in ransomware campaigns. EIP tracks 3 public exploits from researchers including dgh05t, HynekPetrak.

AI-analyzed exploit summary This repository contains proof-of-concept exploits for CVE-2019-5544 and CVE-2020-3992, both targeting VMware ESXi's OpenSLP service. The exploits leverage heap overflow and memory corruption vulnerabilities to potentially achieve remote code execution or denial of service.

Description

OpenSLP as used in VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202010401-SG, 6.5 before ESXi650-202010401-SG) has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.

Exploits (3)

nomisec WORKING POC 68 stars
by dgh05t · dos
https://github.com/dgh05t/VMware_ESXI_OpenSLP_PoCs

This repository contains proof-of-concept exploits for CVE-2019-5544 and CVE-2020-3992, both targeting VMware ESXi's OpenSLP service. The exploits leverage heap overflow and memory corruption vulnerabilities to potentially achieve remote code execution or denial of service.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Theoretical
Target: VMware ESXi (OpenSLP service)
No auth needed
Prerequisites: Network access to the target's OpenSLP service (port 427)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 49 stars
by HynekPetrak · infoleak
https://github.com/HynekPetrak/CVE-2019-5544_CVE-2020-3992

This repository contains a Python script that scans for OpenSLP services, which may be vulnerable to CVE-2019-5544 and CVE-2020-3992. The script uses the Scapy library to send SLP protocol packets and detect services, but it does not exploit the vulnerabilities.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: VMware ESXi with OpenSLP service
No auth needed
Prerequisites: Network access to target systems · Python 3 and Scapy library installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
dos
https://github.com/ceciliaaii/CVE_2020_3992

The repository contains a functional Python script that exploits CVE-2020-3992 by sending a crafted packet to a vulnerable VMware ESXi server on port 427. The exploit triggers a denial-of-service (DoS) condition by sending multiple malformed packets.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: VMware ESXi (versions affected by CVE-2020-3992)
No auth needed
Prerequisites: Network access to the target ESXi server on port 427
devstral-2 · analyzed Feb 25, 2026 Full analysis →

References (4)

Core 4
Core References
Patch, Vendor Advisory x_refsource_misc
https://www.vmware.com/security/advisories/VMSA-2020-0023.html
Third Party Advisory, VDB Entry x_refsource_misc
https://www.zerodayinitiative.com/advisories/ZDI-20-1377/
Third Party Advisory, VDB Entry x_refsource_misc
https://www.zerodayinitiative.com/advisories/ZDI-20-1385/

Scores

CVSS v3 9.8
EPSS 0.9031
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2020-11-11
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2020-25257
Ransomware Use Confirmed
CWE
CWE-416
Status published
Products (2)
vmware/cloud_foundation 3.0 - 3.10.1.2
vmware/esxi 6.5 (49 CPE variants)
Published Oct 20, 2020
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026