The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical VMware zero-day vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The action follows confirmation that the flaw is being actively exploited in the wild by a cyber espionage group with links to China.

The vulnerability, tracked as CVE-2023-34048, is an out-of-bounds write issue within VMware’s vCenter Server product. It affects the implementation of the DCERPC protocol and allows an attacker with network access to a vCenter Server to achieve remote code execution. VMware addressed the vulnerability in patches released in October 2023.

Details of the VMware Vulnerability (CVE-2023-34048)

The security flaw resides in VMware vCenter Server, a centralized management platform for VMware vSphere environments. With a CVSS score of 9.8 out of 10, the vulnerability is considered critical. Successful exploitation of CVE-2023-34048 does not require any user interaction, enabling a malicious actor with network access to trigger the out-of-bounds write and execute arbitrary code on the target server. VMware has since provided patches for the affected versions of vCenter Server and Cloud Foundation.

Active Exploitation by UNC3886

Security researchers at Mandiant attributed the exploitation of this zero-day to a China-nexus threat actor designated as UNC3886. The group leveraged the vulnerability to deploy backdoors on compromised ESXi hosts and vCenter servers that had not yet been patched. The attackers’ methods involved exploiting the flaw to install persistence mechanisms and evade detection, targeting organizations in the technology, defense, and government sectors. In response to these active attacks, CISA has issued a directive requiring Federal Civilian Executive Branch (FCEB) agencies to apply the necessary updates by a specified deadline to secure their networks.

Source: https://thehackernews.com/2025/10/cisa-flags-vmware-zero-day-exploited-by.html