CVE-2020-3992

What is VMware ESXi OpenSLP?

VMware ESXi is the hypervisor platform underlying VMware vSphere, running directly on bare-metal hardware to host virtual machines. ESXi includes OpenSLP (Service Location Protocol), a network service discovery protocol running on port 427 (UDP/TCP) that allows clients to discover ESXi services on the network. OpenSLP is enabled by default on ESXi and listens on the management network interface. While SLP is a legacy discovery protocol rarely needed in modern environments, it is exposed on ESXi hosts as a default-on service, providing an attack surface on the management network — typically an internal network that is trusted but not isolated from all internal hosts. A use-after-free in the SLP daemon allows code execution in the hypervisor context, providing access to all hosted VMs, their data, and the underlying host infrastructure.

Overview

CVE-2020-3992 is a use-after-free (CWE-416) in VMware ESXi's OpenSLP implementation, allowing an unauthenticated attacker with access to port 427 on the management network to achieve remote code execution on the ESXi hypervisor. VMware patched it in VMSA-2020-0023 (October 2020). The vulnerability became highly significant in February 2023 when the ESXiArgs ransomware campaign mass-exploited unpatched ESXi hosts via OpenSLP vulnerabilities — thousands of ESXi hosts were encrypted across Europe and North America within days, highlighting the risk of leaving legacy services enabled and unpatched on hypervisors.

Affected Versions

Technical Details

• Root cause: Use-after-free (CWE-416) in the OpenSLP daemon (slpd) — the SLP daemon processes network requests for service discovery; a heap memory corruption condition allows a freed memory region to be accessed, enabling an attacker to control the contents of the freed object and redirect execution; the vulnerability is reachable via SLP protocol messages on port 427 without authentication
• Management network access requirement: CVSS shows AV:N (Network) but the description specifies "management network with access to port 427" — most ESXi deployments place the management interface on an internal management VLAN; however, hypervisors with internet-accessible management interfaces or organizations with flat internal networks allow this to be exploited remotely
• Hypervisor RCE impact: Code execution on the ESXi hypervisor (ring 0 / host OS) provides access to all hosted VMs, their virtual disk images, snapshot data, and VM configuration; ransomware targeting ESXi hosts can encrypt all virtual disk files (VMDK, VMX, VMSN) simultaneously, taking down every VM on the host with a single exploit
• ESXiArgs ransomware (February 2023): A mass-exploitation campaign targeting ESXi hosts using OpenSLP vulnerabilities (including CVE-2020-3992 and CVE-2021-21974) encrypted thousands of ESXi hosts across Europe, North America, and Asia; the campaign demonstrated that large numbers of ESXi hosts remained unpatched 2+ years after the fix was available; CISA published a recovery script for ESXiArgs victims
• OpenSLP attack surface: OpenSLP is a rarely-used service in modern enterprise environments that has been the source of multiple critical ESXi vulnerabilities; VMware eventually disabled SLP by default in ESXi 7.0 Update 2 and later versions

Discovery

VMware identified CVE-2020-3992 and patched it in the October 2020 VMSA-2020-0023 advisory. The vulnerability's severity and exploitability became clear in 2021-2022 as threat intelligence showed active exploitation. CISA added it to KEV in November 2021 based on confirmed in-the-wild exploitation.

Exploitation Context

CVE-2020-3992's most significant exploitation context is the February 2023 ESXiArgs campaign, which demonstrated the sustained risk of unpatched ESXi hypervisors. Ransomware targeting hypervisors is particularly devastating: a single exploit can encrypt virtual disk files for dozens or hundreds of VMs simultaneously, taking down an entire organization's virtual infrastructure in minutes. ESXi hosts running business-critical workloads are high-value targets because downtime is immediately felt across all hosted services. The campaign revealed that a substantial portion of internet-accessible ESXi hosts remained unpatched more than two years after patches were available — a recurring pattern in enterprise hypervisor security.

Remediation

1. Apply VMSA-2020-0023 patches for all affected ESXi versions — the primary fix
2. Disable OpenSLP on ESXi hosts where SLP discovery is not required (most environments): esxcli system slpd set --enabled false and esxcli system slpd start --enabled false; in ESXi 7.0 Update 2+, SLP is disabled by default
3. Firewall port 427 on the ESXi management interface — block UDP/TCP port 427 access from any hosts that do not require SLP service discovery
4. Restrict the ESXi management network to dedicated management hosts and jump servers; no direct internet access to ESXi management interfaces
5. Investigate for compromise: check for unexpected VM configuration changes, virtual disk modifications, or new user accounts on ESXi hosts; scan for ESXiArgs-style encryption of VMDK files
6. Enable VMware vSphere Host Profiles or equivalent change auditing to detect unauthorized configuration changes to ESXi hosts