Critical Vulnerability in VMware Directory Service on vCenter Server v6.7

by Michael Trantas
Senior Solutions Architect

April 9, VMware announced a vulnerability in the VMware Directory Service (vmdir) for clients running vCenter Server version 6.7 . In certain conditions vmdir that ships with VMware vCenter Server, which as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.

A malicious actor with network access to an affected vmdir deployment may be able to extract highly sensitive information which could be used to compromise vCenter Server or other services dependent upon vmdir for authentication. VMware and CISA have assigned a vulnerability score of 10.0 – Maximum Critical.

This vulnerability can be resolved by upgrading an affected deployment to 6.7u3f or 7.0. See the table below.

Note: vCenter Server 6.7 (embedded or external PSC) prior to 6.7u3f is affected by CVE-2020-3952 if it was upgraded from a previous release line such as 6.0 or 6.5. Clean installations of vCenter Server 6.7 (embedded or external PSC) are not affected.

ProductVersionRunning OnCVE IdentifierCVSSV3SeverityFixed VersionWorkaroundsAdditional
vCenter Server7AnyCVE-2020-3952N/AN/AUnaffectedN/AN/A
vCenter Server6.7Virtual ApplianceCVE-2020-395210Critical6.7u3fNoneKB78543
vCenter Server6.7WindowsCVE-2020-395210Critical6.7u3fNoneKB78543
vCenter Server6.5AnyCVE-2020-3952N/AN/AUnaffectedN/AN/A

If you would like additional assistance or consultative consulting from the Helient professionals, please contact

Thank you for sharing... Share on Facebook
Tweet about this on Twitter
Share on LinkedIn