CVE-2020-4006
CRITICAL KEVVMware Identity Manager and Connector - OS Command Injection
Title source: llmExploitation Summary
CVE-2020-4006 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021.
Description
VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_misc
https://www.vmware.com/security/advisories/VMSA-2020-0027.html
Third Party Advisory, US Government Resource
https://www.kb.cert.org/vuls/id/724367
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-4006
Scores
CVSS v3
9.1
EPSS
0.1363
EPSS Percentile
94.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
no
Technical Impact
total
Details
CISA KEV
2021-11-03
VulnCheck KEV
2020-12-03
InTheWild.io
2020-12-03
ENISA EUVD
EUVD-2020-25271
CWE
CWE-78
Status
published
Products (11)
vmware/cloud_foundation
4.0
vmware/cloud_foundation
4.0.1
vmware/identity_manager
3.3.1
vmware/identity_manager
3.3.2
vmware/identity_manager
3.3.3
vmware/identity_manager_connector
3.3.1
vmware/identity_manager_connector
3.3.2
vmware/identity_manager_connector
3.3.3
vmware/one_access
20.01
vmware/one_access
20.10
... and 1 more
Published
Nov 23, 2020
KEV Added
Nov 03, 2021
Tracked Since
Feb 18, 2026