01 · The Real Story
This is a master-key flaw, but only if the attacker can reach the lock on the management hallway
Tenable plugin 183957 maps to CVE-2023-34048, an out-of-bounds write in vCenter Server's DCERPC implementation that can lead to unauthenticated remote code execution. Affected ranges are vCenter 6.5 < 6.5 U3v, 6.7 < 6.7 U3t, 7.0 < 7.0 U3o, and 8.0 < 8.0 U1d; Broadcom also lists 8.0 U2 as fixed and shipped async fixes for VCF 4.x/5.x.
The vendor's CRITICAL 9.8 is technically fair, but operationally incomplete. This is not a generic internet-grade HTTPS bug against every exposed vCenter admin page; exploitation depends on network reachability to the vulnerable DCERPC management path, which is often restricted to management networks or blocked in managed offerings. That reachability friction downgrades it from blanket CRITICAL to HIGH, but only barely, because VMware confirmed in-the-wild exploitation and a compromised vCenter is a control-plane compromise with ugly blast radius.
"Active KEV-listed pre-auth RCE, but real-world reachability is narrower than the vendor's 9.8 suggests."
02 · The Attack Path
4 steps from start to impact.
STEP 01
Find a reachable vCenter management plane
The attacker first identifies a vCenter instance and checks whether the vulnerable DCERPC path is reachable from their position. In practice this is done with standard recon tooling such as
nmap plus service fingerprinting against the vCenter management network, not some exotic exploit kit.Conditions required:
- A vCenter Server version in the affected range
- Attacker has network path to the vulnerable vCenter service/ports
- Target is not already patched to 6.5 U3v / 6.7 U3t / 7.0 U3o / 8.0 U1d+
Where this breaks in practice:
- Many enterprises keep vCenter on a management VLAN reachable only from jump hosts
- Managed services such as Google Cloud VMware Engine explicitly block the relevant vulnerable ports from untrusted access
- Public exposure is narrower than a normal 443-only web attack surface
Detection/coverage: External scanners often see the vCenter web UI, but not whether the vulnerable DCERPC path is reachable from attacker-relevant networks. Exposure management needs network-context validation, not version-only findings.
STEP 02
Trigger DCERPC memory corruption
The exploit sends crafted DCERPC traffic to trigger the out-of-bounds write in vCenter's implementation. VMware and NVD both describe this as a pre-auth network attack that can lead to remote code execution; NVD also tags third-party exploit material in references.
Conditions required:
- Reachability to the vulnerable service
- No authentication required
- Service is running normally on the target vCenter
Where this breaks in practice:
- Requires protocol-specific exploit delivery rather than simple web request replay
- Service-specific ACLs or firewalls can kill the path even if the vCenter UI is reachable
- Some environments may expose vCenter broadly to admins but not the vulnerable transport from user subnets
Detection/coverage: Version-based vuln scanners flag the host, but exploit-attempt visibility depends on east-west telemetry, IDS signatures for DCERPC abuse, and appliance crash log review.
STEP 03
Land code execution on the vCenter appliance
Successful exploitation yields command execution on the vCenter appliance before authentication. Mandiant and VMware correlated
vmdird crashes with exploitation, and Mandiant observed attacker backdoors deployed minutes after those crashes.Conditions required:
- Exploit succeeds against the specific build
- Attacker can maintain a session or drop tooling after code execution
Where this breaks in practice:
- Exploit reliability may vary by build and environment
- Crash artifacts can create forensic breadcrumbs if logs and core dumps are retained
Detection/coverage: Hunt for
vmdird crashes and vMonCoredumper.log entries, plus unexpected services, binaries, or outbound connections from the appliance.STEP 04
Pivot from vCenter into the virtualization estate
Once inside vCenter, the attacker is sitting on the management console for the hypervisor fleet. Mandiant's UNC3886 reporting shows post-exploit activity expanding into ESXi and guest VMs, including credential access and follow-on backdoor deployment using the VMware control plane.
Conditions required:
- vCenter is integrated with ESXi hosts and guest operations in a normal enterprise deployment
- Attacker has enough post-exploit stability to enumerate inventory and credentials
Where this breaks in practice:
- Segmentation between vCenter and other admin tiers can slow expansion
- Good logging around vCenter, ESXi, and guest operations can surface abnormal administrative behavior
Detection/coverage: EDR coverage is often weak or absent on ESXi and uneven on the appliance, so SIEM correlation across vCenter logs, hypervisor logs, and identity events matters more than endpoint-only telemetry.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | Yes. Broadcom updated the advisory on 2024-01-17 to state exploitation had occurred in the wild, and Mandiant tied exploitation to UNC3886 as far back as late 2021. |
|---|---|
| KEV status | CISA KEV-listed on 2024-01-22 with due date 2024-02-12. |
| Proof-of-concept / exploit material | Exploit references exist. NVD tags a Vicarius write-up as Exploit, but this is not a commodity web-copy/paste bug with the same universal ease as a trivial HTTP endpoint RCE. |
| EPSS | ~93.2% EPSS / ~99.8 percentile per Wiz tracking, which aligns with the KEV and confirmed exploitation story. |
| CVSS vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — pre-auth network RCE with full CIA impact *if reachable*. |
| Affected versions | vCenter 6.5 < U3v, 6.7 < U3t, 7.0 < U3o, 8.0 < U1d; VMware also issued fixes for VCF 4.x/5.x and even patched some EOL branches because the issue was too severe to ignore. |
| Fixed versions | Patch to 6.5 U3v, 6.7 U3t, 7.0 U3o, 8.0 U1d or later; Broadcom also lists 8.0 U2 as fixed. VCF 4.x/5.x require the async guidance in KB88287. |
| Exposure data | Censys observed roughly 3,541 public vCenter web admin hosts, but only about 293 (8.2%) had the relevant DCERPC exposure on the same public interface. That is the biggest real-world reason this is not a blanket CRITICAL everywhere. |
| Disclosure timeline | Initial vendor publication 2023-10-25; advisory updated 2024-01-17 for active exploitation; CISA KEV addition 2024-01-22. |
| Reporting researcher | Grigory Dorodnov of Trend Micro Zero Day Initiative reported the flaw to VMware. |
04 · The Call
noisgate verdict.
Final Verdict
↓ DOWNGRADED to HIGH (8.9/10)
The decisive friction is reachability: this bug needs network access to the vulnerable vCenter DCERPC management path, which is commonly restricted to management networks and is not universally exposed like a plain web-console flaw. It stays HIGH because exploitation is confirmed, KEV-listed, and a successful hit lands on the vSphere control plane, where one host can fan out across your estate.
HIGH CVE identification and affected version mapping to Tenable plugin 183957
HIGH Active exploitation / KEV status
MEDIUM How often the vulnerable transport is reachable in your specific enterprise network
Why this verdict
- Downshift for reachability: vendor 9.8 assumes any network path is enough, but real exploitation depends on access to the vulnerable DCERPC management path, which many enterprises keep off untrusted networks.
- Upweight for blast radius: vCenter is not just another server; it is the management plane for ESXi and often the shortest route to hypervisor and guest-level follow-on abuse.
- Upweight for reality, not theory: VMware confirmed exploitation in the wild, Mandiant tied it to UNC3886, and CISA KEV status removes any argument that this is merely laboratory risk.
Why not higher?
I am not calling this CRITICAL across the board because the reachable population is meaningfully narrower than the CVSS headline implies. If your segmentation is decent, this is often a post-initial-access or admin-network opportunity, not a universal internet-facing emergency on every vCenter asset.
Why not lower?
I am not pushing this to MEDIUM because the attack is pre-auth, the impact is RCE on vCenter, and the victim asset is a crown-jewel control plane. KEV listing and confirmed real-world exploitation keep this out of backlog territory.
05 · Compensating Control
What to do — in priority order.
- Block untrusted paths to vCenter management ports — Immediately, within hours, restrict the vulnerable vCenter management-plane ports to dedicated admin jump hosts and approved management networks only. Because this CVE is KEV-listed and actively exploited, do not wait for the normal HIGH timeline; use ACLs, NGFW policy, and microsegmentation as an emergency containment move.
- Enforce jump-host-only administration — Immediately, within hours, force vCenter access through hardened bastions with logging instead of broad workstation reachability. This directly attacks the biggest prerequisite in the exploit chain: attacker network position.
- Hunt for
vmdirdcrash artifacts — Immediately, within hours, review/var/log/vMonCoredumper.log, appliance service crash records, and unexpected binaries or outbound connections from the vCenter appliance. Mandiant linkedvmdirdcrashes closely to exploit activity, so this is one of the few concrete post-exploit breadcrumbs defenders actually get. - Review east-west access to ESXi and guest operations — Within 30 days if not already covered by the emergency response, verify that a compromised vCenter cannot trivially fan out to every management tier without additional controls. This matters because the blast radius, not just the initial exploit, is what keeps the severity high.
What doesn't work
- MFA on the vSphere UI does not stop this attack, because exploitation is pre-auth and not dependent on interactive login.
- Locking down only
443/tcpis not enough if the vulnerable DCERPC management path remains reachable elsewhere. - Relying on EDR alone is weak coverage here; vCenter appliances and especially ESXi layers often have thinner agent visibility than normal server fleets.
06 · Verification
Crowdsourced verification payload.
Run this on the target vCenter Server Appliance over SSH, after dropping from the appliance shell into bash if needed. Invoke it as sudo bash ./check-cve-2023-34048.sh; root is preferred because some environments restrict access to vpxd -v, but read-only shell access is usually enough.
#!/usr/bin/env bash
# check-cve-2023-34048.sh
# Detect likely exposure to CVE-2023-34048 on VMware vCenter Server Appliance.
# Outputs one of: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN
set -u
get_version_output() {
if command -v vpxd >/dev/null 2>&1; then
vpxd -v 2>/dev/null && return 0
fi
if [ -x /usr/sbin/vpxd ]; then
/usr/sbin/vpxd -v 2>/dev/null && return 0
fi
if [ -x /usr/lib/vmware-vpx/vpxd ]; then
/usr/lib/vmware-vpx/vpxd -v 2>/dev/null && return 0
fi
return 1
}
OUT="$(get_version_output)" || {
echo "UNKNOWN - unable to execute vpxd -v"
exit 2
}
# Expected examples vary, but usually contain version and build tokens.
# Example: VMware VirtualCenter 7.0.3 build-22357613
VERSION="$(printf '%s\n' "$OUT" | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+' | head -n1)"
BUILD="$(printf '%s\n' "$OUT" | grep -Eo 'build[- ]?[0-9]+' | grep -Eo '[0-9]+' | head -n1)"
if [ -z "${VERSION:-}" ] || [ -z "${BUILD:-}" ]; then
echo "UNKNOWN - could not parse version/build from: $OUT"
exit 2
fi
major_minor="$(printf '%s' "$VERSION" | awk -F. '{print $1 "." $2}')"
status="UNKNOWN"
reason="unsupported or unrecognized version family"
case "$major_minor" in
"6.5")
# Fixed in 6.5 U3v, build 22499743
if [ "$BUILD" -ge 22499743 ] 2>/dev/null; then
status="PATCHED"
reason="6.5 build >= 22499743 (6.5 U3v)"
else
status="VULNERABLE"
reason="6.5 build < 22499743 (before 6.5 U3v)"
fi
;;
"6.7")
# Fixed in 6.7 U3t, appliance build 22509751
if [ "$BUILD" -ge 22509751 ] 2>/dev/null; then
status="PATCHED"
reason="6.7 build >= 22509751 (6.7 U3t appliance)"
else
status="VULNERABLE"
reason="6.7 build < 22509751 (before 6.7 U3t)"
fi
;;
"7.0")
# Fixed in 7.0 U3o, build 22357613
if [ "$BUILD" -ge 22357613 ] 2>/dev/null; then
status="PATCHED"
reason="7.0 build >= 22357613 (7.0 U3o)"
else
status="VULNERABLE"
reason="7.0 build < 22357613 (before 7.0 U3o)"
fi
;;
"8.0")
# Fixed in 8.0 U1d, build 22368047; 8.0 U2 is also fixed and newer.
if [ "$BUILD" -ge 22368047 ] 2>/dev/null; then
status="PATCHED"
reason="8.0 build >= 22368047 (8.0 U1d / U2+)"
else
status="VULNERABLE"
reason="8.0 build < 22368047 (before 8.0 U1d)"
fi
;;
*)
# Newer families are outside this plugin's scope.
status="UNKNOWN"
reason="version family $major_minor not covered by this check"
;;
esac
echo "$status - version=$VERSION build=$BUILD ($reason)"
case "$status" in
PATCHED) exit 0 ;;
VULNERABLE) exit 1 ;;
*) exit 2 ;;
esac
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning, treat any reachable vulnerable vCenter as an emergency control-plane risk: use the noisgate mitigation SLA override for KEV/active exploitation and patch / mitigate immediately, within hours by cutting untrusted access to the vulnerable management path and validating whether your management VLANs, jump hosts, and remote admin enclaves can still reach it. Then push the actual vendor update on the exposed or reachable population in the same response wave; while the formal noisgate remediation SLA for a HIGH finding is ≤180 days, that is a ceiling, not a recommendation, for a KEV-listed vCenter RCE with confirmed in-the-wild abuse.
Sources
- Tenable Nessus Plugin 183957
- Broadcom / VMware VMSA-2023-0023.1
- NVD CVE-2023-34048
- CISA KEV Alert for CVE-2023-34048
- Mandiant / Google Cloud: UNC3886 exploiting CVE-2023-34048 since late 2021
- Google Cloud VMware Engine security bulletins
- Censys exposure analysis for CVE-2023-34048
- vCenter release and build number history
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.