01 · The Real Story
Like finding a side drawer in the control room that only opens after you already have a badge
This maps to CVE-2023-34056, a partial information disclosure flaw in VMware vCenter Server. Affected ranges are 7.0 before 7.0U3o and 8.0 before 8.0U2; Broadcom also ties impacted VMware Cloud Foundation 4.x/5.x deployments to the vulnerable embedded vCenter component. The vendor description is narrow on purpose: an attacker needs non-administrative vCenter privileges first, then can access data they should not be able to read.
Vendor MEDIUM / 4.3 is technically fair, but for enterprise patch prioritization it lands lower. The decisive friction is the attacker position: this is post-auth against a heavily restricted management plane, and the published impact is partial confidentiality only with no integrity or availability loss. On a 10,000-host patch board, that is not the same animal as the unauthenticated vCenter bugs that have historically driven mass exploitation.
"This is an authenticated vCenter data leak, not an internet-scale pre-auth break."
02 · The Attack Path
4 steps from start to impact.
STEP 01
Get a real vCenter foothold
The attacker first needs a legitimate vCenter identity with at least low privileges. In practice that means stolen help-desk creds, delegated ops access, a compromised SSO-linked account, or an insider already present in the admin plane. Tools are mundane here:
Axiom, Evilginx, browser session theft, or plain credential reuse are more realistic than a CVE-specific exploit.Conditions required:
- Reachability to the vCenter management interface or API
- Valid non-admin vCenter credentials or token
- vCenter role grants enough authenticated access to hit the vulnerable code path
Where this breaks in practice:
- Most enterprises do not expose vCenter broadly to the internet
- vCenter accounts are usually a tiny, monitored population
- MFA, PAM, bastions, and VPN segmentation often gate access before the CVE matters
Detection/coverage: Identity controls and vCenter auth logs are the best choke points. Nessus plugin 183958 is version-based only and does not validate exploitability.
STEP 02
Authenticate to vSphere services
With credentials in hand, the operator logs into the vSphere Client or underlying APIs using standard tooling such as
curl, govc, PowerCLI, or a browser. There is no public one-click weaponized flow for this CVE in the reviewed sources; the attacker is blending into ordinary management traffic.Conditions required:
- Successful authentication to vCenter
- Access to the relevant UI/API path
Where this breaks in practice:
- Short session lifetimes and conditional access can cut off replayed sessions
- Jump hosts and admin enclaves concentrate telemetry around these logins
Detection/coverage: Look for unusual non-admin logins to vCenter, especially from non-admin workstations, unusual source IPs, or automation tools hitting APIs they do not normally use.
STEP 03
Read data past the intended boundary
The vulnerable access-control path lets the authenticated low-privileged user retrieve information they should not see. Broadcom characterizes the outcome as unauthorized data access, not code execution, privilege escalation, or destructive control. The likely operator payoff is environment intelligence: inventory, configuration, or management-plane context that sharpens later attacks.
Conditions required:
- A vulnerable 7.0 or 8.0 build
- The authenticated user can reach the affected functionality
Where this breaks in practice:
- Impact is limited to information exposure, not direct takeover
- The exact vulnerable workflow is not publicly weaponized in the reviewed sources
- Value depends on what data the specific deployment exposes to that low-privileged role
Detection/coverage: There is no broadly published network signature for this CVE. Detection is behavioral: anomalous read-heavy API usage, unusual enumeration, and access by low-priv roles to objects they rarely touch.
STEP 04
Use the leaked context for follow-on operations
Any disclosed data is most useful as recon against the virtualization control plane and adjacent systems. An operator can pivot from the leak into host targeting, VM inventory mapping, service account hunting, or identifying weak operational boundaries. That is why this stays relevant despite the low base impact: vCenter sits near the top of the infrastructure trust stack.
Conditions required:
- The leaked data is operationally useful
- The attacker has another path to act on that intelligence
Where this breaks in practice:
- This CVE alone does not grant execution, admin, or persistence
- A second weakness or stolen privilege is still required for major impact
Detection/coverage: Correlate suspicious vCenter reads with subsequent lateral movement against ESXi, backup systems, identity infrastructure, or management subnets.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | Reviewed sources show active exploitation for sibling CVE-2023-34048, not for CVE-2023-34056. Broadcom updated VMSA-2023-0023 on 2024-01-17 to confirm exploitation of 34048 only. |
|---|---|
| Proof-of-concept availability | Tenable marks "No known exploits are available" for this plugin/CVE. Public attention and writeups around VMSA-2023-0023 overwhelmingly center on 34048. |
| EPSS | Current public EPSS tracking is low: CVEDetails shows about 0.26% with roughly 49th percentile. That is not zero, but it is nowhere near the profile of routinely weaponized management-plane bugs. |
| KEV status | No KEV evidence found in the reviewed sources for CVE-2023-34056. CISA's public weekly bulletin from 2023-10-30 lists it as a newly published medium vulnerability, not as an actively exploited entry. |
| CVSS vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N = remote reachable, but only after low privileges are already obtained; confidentiality impact is low, integrity and availability are none. |
| Affected versions | vCenter Server 7.0 < 7.0U3o and 8.0 < 8.0U2. Broadcom/OpenCVE also note affected VMware Cloud Foundation 4.x/5.x because vCenter is embedded in that stack. |
| Fixed versions | Patch to 7.0U3o on the 7.x branch or 8.0U2 on the 8.x branch. For verification, Broadcom's build table maps these to 7.0.3.01700 / build 22357613 and 8.0.2.00000 / build 22385739. |
| Scanning / exposure reality | vCenter does exist on the public internet in meaningful numbers — Censys has previously measured thousands of internet-facing vCenter services — but this CVE still requires authenticated low-priv access, which sharply cuts the reachable population compared with pre-auth vCenter bugs. |
| Disclosure | Published 2023-10-25 via VMSA-2023-0023. Broadcom states the issues were responsibly reported; the reporting researcher or organization was not publicly named in the advisory. |
04 · The Call
noisgate verdict.
Final Verdict
↓ DOWNGRADED to LOW (3.2/10)
The single biggest downgrade factor is the authenticated attacker requirement on vCenter itself. This is a narrow post-access information leak on a tightly controlled management plane, not a pre-auth break that changes your risk overnight.
HIGH Affected-version mapping and fixed-version identification
MEDIUM Real-world exploitability assessment in enterprise environments
Why this verdict
- Downshift for attacker position: the vendor 4.3 baseline assumes only
PR:L, but in the real world that means the attacker already has a vCenter account or token, which usually implies prior compromise, insider access, or delegated admin-plane reach. - Downshift for reachable population: even though some vCenter instances are internet-exposed, most enterprises keep vCenter behind VPN, jump hosts, or management enclaves. Requiring both network reachability and valid low-priv authentication compounds the friction.
- Downshift for blast radius: the published impact is partial information disclosure only. No direct code execution, no privilege escalation, and no service disruption are attributed to this CVE.
Why not higher?
It is not higher because this is not unauthenticated, not wormable, and not a direct control-plane takeover. The attacker still needs a separate path to get useful vCenter access before the bug does anything, and the CVE by itself does not hand them admin or execution.
Why not lower?
It is not lower because vCenter is a crown-jewel management system, so even a limited information leak can improve attacker recon materially. If an environment has broad read-only vCenter roles, shared operations accounts, or internet-exposed management surfaces, the practical risk rises above pure backlog noise.
05 · Compensating Control
What to do — in priority order.
- Collapse low-priv vCenter access — Review and reduce read-only, audit, and delegated operator roles so fewer identities can reach the vulnerable surface. For a LOW verdict there is no formal mitigation SLA; treat this as backlog hygiene and complete during the next access-review cycle.
- Keep vCenter off the internet — Force access through VPN, bastions, or admin enclaves and block direct exposure of
443and5480from untrusted networks. This does not patch the bug, but it removes the easiest path to satisfying the network prerequisite; for LOW, do it as normal hygiene rather than emergency work. - Put MFA and PAM in front of vCenter — Since the attacker must authenticate first, strong auth and session brokering materially reduce exploitability. Apply to all human vCenter access and privileged automation accounts; for LOW, schedule in routine hardening if not already in place.
- Alert on odd non-admin reads — Baseline which users and tools normally query inventory and configuration data, then alert when low-priv identities enumerate unusually broad objects or log in from unusual hosts. This is your best chance to catch abuse because exploit-specific signatures are weak.
What doesn't work
- A WAF in front of vCenter is not a strong answer here, because the traffic can be authenticated and semantically valid application use rather than obviously malicious payloads.
- Endpoint controls on managed VMs or ESXi guests do not protect the vCenter appliance itself; this is a management-plane issue.
- Chasing only external exposure scans misses the real risk if an internal attacker or compromised admin workstation can already reach vCenter.
06 · Verification
Crowdsourced verification payload.
Run this on the target vCenter Server Appliance over SSH as root or another account allowed to execute vpxd -v. Example: ssh [email protected] 'bash -s' < check_cve_2023_34056.sh. It needs only local shell access and no network reachability beyond the SSH session.
#!/usr/bin/env bash
# check_cve_2023_34056.sh
# Determine whether a VMware vCenter Server Appliance is vulnerable to CVE-2023-34056
# Affected: 7.0 < 7.0U3o ; 8.0 < 8.0U2
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN
set -u
fail_unknown() {
echo "UNKNOWN: $1"
exit 2
}
# Broadcom KB 380386 documents 'vpxd -v' as a supported way to check vCenter version.
if ! command -v vpxd >/dev/null 2>&1; then
fail_unknown "vpxd command not found; are you on a vCenter Server Appliance?"
fi
raw="$(vpxd -v 2>/dev/null | tr '\n' ' ')"
[ -n "$raw" ] || fail_unknown "vpxd -v returned no data"
# Try to extract a version string like 7.0.3.01700 or 8.0.2.00000
ver="$(printf '%s' "$raw" | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | head -n1)"
[ -n "$ver" ] || fail_unknown "could not parse version from: $raw"
IFS='.' read -r major minor patch build <<< "$ver"
for n in "$major" "$minor" "$patch" "$build"; do
[[ "$n" =~ ^[0-9]+$ ]] || fail_unknown "non-numeric version component in $ver"
done
# Normalize any leading zeros safely
major=$((10#$major))
minor=$((10#$minor))
patch=$((10#$patch))
build=$((10#$build))
# Compare a.b.c.d tuples
ver_ge() {
local a1=$1 b1=$2 c1=$3 d1=$4
local a2=$5 b2=$6 c2=$7 d2=$8
if (( a1 > a2 )); then return 0; fi
if (( a1 < a2 )); then return 1; fi
if (( b1 > b2 )); then return 0; fi
if (( b1 < b2 )); then return 1; fi
if (( c1 > c2 )); then return 0; fi
if (( c1 < c2 )); then return 1; fi
if (( d1 >= d2 )); then return 0; fi
return 1
}
# Fixed minimums for this CVE
# 7.0U3o => 7.0.3.01700
# 8.0U2 => 8.0.2.00000
if (( major == 7 && minor == 0 )); then
if ver_ge "$major" "$minor" "$patch" "$build" 7 0 3 1700; then
echo "PATCHED: detected vCenter version $ver (>= 7.0.3.01700 / 7.0U3o)"
exit 0
else
echo "VULNERABLE: detected vCenter version $ver (< 7.0.3.01700 / 7.0U3o)"
exit 1
fi
elif (( major == 8 && minor == 0 )); then
if ver_ge "$major" "$minor" "$patch" "$build" 8 0 2 0; then
echo "PATCHED: detected vCenter version $ver (>= 8.0.2.00000 / 8.0U2)"
exit 0
else
echo "VULNERABLE: detected vCenter version $ver (< 8.0.2.00000 / 8.0U2)"
exit 1
fi
else
fail_unknown "version $ver is outside the 7.0/8.0 ranges covered by this check"
fi
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning, do not treat this like a fire drill unless your vCenter is internet-exposed or broadly accessible to low-privileged users. For a LOW noisgate rating there is no noisgate mitigation SLA and no noisgate remediation SLA — this is backlog hygiene: verify exposure, tighten who can log into vCenter this sprint, and patch to 7.0U3o+ / 8.0U2+ in your normal vCenter maintenance window with documented rationale if you defer.
Sources
- Tenable plugin 183958
- Broadcom / VMware VMSA-2023-0023.1
- NVD CVE-2023-34056
- Broadcom KB 326316 - vCenter versions and build numbers
- Broadcom KB 380386 - checking version with vpxd -v
- CISA Vulnerability Summary for the Week of October 23, 2023
- Censys - VMware vCenter exposure analysis
- CVEDetails EPSS and metadata for CVE-2023-34056
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.