All news with #vmware tag

🔒 Ivanti, Fortinet, SAP, VMware, n8n and dozens of other vendors have released security updates addressing multiple high- and critical-severity flaws that enable authentication bypass, information disclosure, local privilege escalation, and remote code execution. Highlights include a critical Ivanti Xtraction file-name control flaw (CVE-2026-8043), Fortinet authentication and sandbox execution bugs, SAP SQL injection and missing-auth issues, and a TOCTOU local privilege escalation in VMware Fusion. Administrators should prioritize applying the vendor-recommended patches immediately.

🔒 At Pwn2Own Berlin (May 14–16), researchers uncovered 47 zero-day vulnerabilities and shared almost $1.3 million in prize money, with Devcore taking $505,000. The enterprise-focused competition targeted AI databases, coding agents, LLM toolchains and NVIDIA products. Notable wins included exploits against VMware ESXi, Microsoft Exchange, SharePoint and a sandbox escape on Microsoft Edge. ZDI will disclose the findings to vendors, who have 90 days to patch.

🔔 Amazon Elastic VMware Service (Amazon EVS) now provides Microsoft Windows Server licensing entitlements, allowing customers to migrate or create Windows Server VMs in EVS and obtain licensing directly from AWS. Administrators configure an EVS connector to their VMware vCenter and supply VM IDs via the console or CLI. Licensing is charged on a per vCPU‑hour basis and can be added or removed at any time; the feature is available in all Regions where EVS is offered.

🔒 NAKIVO has released Backup & Replication v11.2, introducing an automated real-time replication engine and expanded hypervisor support. The update delivers full compatibility with VMware vSphere 9 and Proxmox VE 9.0 (with 9.1 in scope), plus immutable backups, pre-recovery malware scanning, and air-gapped options to strengthen ransomware resilience. v11.2 also adopts OAuth 2.0 for email notifications and upgrades core platform components to improve stability and recovery speed.

🛡️ This guide summarizes GTIG and Mandiant research on threats targeting the vCenter Server Appliance and ESXi hypervisors, where attackers establish persistence beneath guest OS defenses. It prescribes an infrastructure-centric defense across four phases—benchmarking and base controls, identity management, vSphere network hardening, and logging/forensic visibility—emphasizing Photon OS hardening, mandatory remote telemetry, and strict network segmentation to force detectable friction.

⚠️ CISA added three vulnerabilities to its Known Exploited Vulnerabilities catalog on Mar 10, 2026, citing evidence of active exploitation in SolarWinds Web Help Desk, Ivanti Endpoint Manager, and Omnissa Workspace One UEM. Federal civilian agencies were ordered to apply the SolarWinds fix by March 12 and remediate the other two flaws by March 23. The issues include a critical deserialization bug (CVE-2025-26399), an authentication bypass (CVE-2026-1603), and an SSRF (CVE-2021-22054) tied to ongoing threat activity.

⚠️ CISA has added a high‑severity VMware Aria Operations flaw, CVE-2026-22719, to its Known Exploited Vulnerabilities (KEV) catalog after reports of active exploitation; the issue is an unauthenticated command injection that can allow arbitrary command execution and potential remote code execution. Broadcom released fixes for VMware Cloud Foundation, vSphere Foundation 9.0.2.0 and Aria Operations 8.18.6, and provided a shell-script workaround (aria-ops-rce-workaround.sh) for appliance nodes. Public details of in‑the‑wild exploitation and attribution remain scarce. Federal civilian agencies must apply the fixes by March 24, 2026.

🚨 CISA has added a VMware Aria Operations command injection flaw (CVE-2026-22719) to its Known Exploited Vulnerabilities catalog and is treating the issue as exploited in attacks. Broadcom says it is aware of reports of exploitation but cannot independently confirm them. VMware released patches on February 24 and provided a temporary workaround script (aria-ops-rce-workaround.sh) that disables vulnerable migration components; administrators should apply the updates or the workaround immediately.

🔒Recent patches from VMware address several high- and medium-risk vulnerabilities in Aria Operations, Cloud Foundation, and Telco Cloud products. The most serious, CVE-2026-22719, is an unauthenticated command injection that could lead to remote code execution but requires support-assisted product migration to be exploitable, so it is rated high rather than critical. Broadcom recommends upgrading to Aria Operations 8.18.6 and applying corresponding updates for VMware Cloud Foundation and Telco Cloud components to mitigate these issues.

🔒 CISA confirmed ransomware gangs are exploiting a high-severity VMware ESXi sandbox escape (CVE-2025-22225) patched by Broadcom in March 2025 alongside related fixes. The vulnerability permits an attacker with privileges in the VMX process to trigger an arbitrary kernel write and escape the virtual machine sandbox. Organizations are urged to apply vendor mitigations, follow BOD 22-01 guidance for cloud services, or discontinue affected products if mitigations are unavailable.

🚨 CISA has added a critical VMware vCenter Server remote code execution flaw (CVE-2024-37079) to its catalog of vulnerabilities exploited in the wild and ordered federal civilian agencies to secure affected systems within three weeks. Patched in June 2024, the issue stems from a heap overflow in the DCERPC implementation of vCenter Server that can be exploited via a specially crafted network packet without credentials or user interaction. Broadcom confirms in-the-wild exploitation and urges immediate patching to the latest vCenter Server and Cloud Foundation releases; no mitigations are available.

⚠️ CISA has added CVE-2024-37079, a critical heap overflow in Broadcom VMware vCenter's DCE/RPC implementation, to its Known Exploited Vulnerabilities catalog citing evidence of active exploitation. The flaw (CVSS 9.8) can enable remote code execution via a crafted network packet; Broadcom released fixes in June 2024 alongside CVE-2024-37080, with related patches issued in September 2024. Broadcom confirms in‑the‑wild abuse and Federal civilian agencies must update to the latest vCenter release by February 13, 2026.

🌐 Amazon EVS now supports deploying multiple VMware NSX Tier-0 Gateways inside an SDDC, enabling enhanced network segmentation and more flexible routing. Multiple Tier‑0 gateways distribute traffic across NSX Edge Clusters to improve performance and scale. Customers can isolate workloads, maintain separate security policies, and conduct upgrades or testing with minimal production impact.

⚠️ CISA has added CVE-2024-37079, an out-of-bounds write in VMware vCenter Server (Broadcom), to the Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. This class of memory-corruption flaw is a common attacker vector and poses significant risk to the federal enterprise. Under BOD 22-01, FCEB agencies must remediate cataloged vulnerabilities by the required due date; CISA urges all organizations to prioritize timely remediation and to reduce exposure to active threats.

🛠 Amazon Elastic VMware Service (Amazon EVS) now lets administrators specify supported combinations of VMware Cloud Foundation (VCF) and ESX software versions when provisioning environments and hosts. You can designate a VCF version with the CreateEnvironment API, select an ESX version when adding hosts via CreateEnvironmentHost, and query valid pairings with the GetVersions API. AWS also adds support for new environment deployments using VCF 5.2.2 to broaden compatibility.

🔍 Huntress says Chinese-speaking threat actors used a compromised SonicWall VPN appliance in December 2025 to deploy a multi-stage exploit against VMware ESXi, leveraging three zero-day vulnerabilities disclosed by Broadcom in March 2025 (CVE-2025-22224/22225/22226). The toolkit includes an orchestrator dubbed MAESTRO, an unsigned kernel driver loaded via KDU, and a VSOCK-based ELF backdoor called VSOCKpuppet. The attack chain enabled VM-to-hypervisor escapes, remote control of ESXi hosts over VSOCK port 10000, and file transfer capabilities from guest VMs, all of which were halted by Huntress before a suspected ransomware stage could complete.

🔒 Chinese-speaking threat actors used a compromised SonicWall VPN appliance to deliver a VMware ESXi exploit toolkit that appears to have been developed more than a year before the vulnerabilities were publicly disclosed. Huntress analysts found PDB build paths and simplified Chinese artifacts suggesting components were compiled in late 2023 and early 2024. The toolkit chains multiple ESXi flaws to escape guest VMs into the hypervisor, load an unsigned kernel driver, and deploy a persistent backdoor. Organizations are urged to apply the latest ESXi security updates and use the supplied detection rules to detect compromise.

🔒 Palo Alto Networks warns that the Jolly Scorpius group has significantly upgraded its Ransomhouse RaaS with a dual-key encryption trojan called Mario, combining a 32-byte primary key and an eight-byte secondary key that make recovery extremely difficult. Attack automation via MrAgent targets VMware ESXi hypervisors, enabling rapid cluster-wide encryption and firewall neutralization. The campaign primarily targets German companies; recommended mitigations include hardening virtual environments, immutable backups, and strict network segmentation.

🚀Amazon Elastic VMware Service (Amazon EVS) is now available in all availability zones within six additional AWS Regions, expanding options for running VMware workloads on AWS Nitro-powered EC2 bare-metal. You can deploy a complete VMware Cloud Foundation environment in hours using the guided workflow or CLI automation, accelerating migrations and data center exits. This expansion improves latency, supports data residency requirements, and adds redundancy choices for high availability.

🔒 Chinese state-sponsored actors are implanting a Go-based backdoor called BRICKSTORM on VMware vCenter and ESXi servers to maintain long-term persistence in targeted networks. CISA, NSA and the Canadian Cyber Centre analyzed multiple samples and found the malware often remained undetected for extended periods, enabling lateral movement, credential theft and exfiltration via VSOCK and SOCKS5 proxy functionality. The joint advisory includes IOCs, YARA and Sigma rules and recommends patching, hardening vSphere, restricting service account privileges, segmenting networks and blocking unauthorized DoH.