What is VMware vCenter Server?
VMware vCenter Server is the centralized management platform for VMware vSphere environments, providing unified control over ESXi hypervisors, virtual machines, storage, and networking in enterprise virtualization infrastructure. vCenter is the "crown jewel" of a VMware deployment: an attacker with vCenter administrative access can manage all VMs across all ESXi hosts, create or destroy VMs, access VM disk contents (including memory snapshots), and reconfigure the entire virtualization layer. vCenter's management port (TCP 443) is often accessible from within corporate networks and sometimes from the internet, and it communicates using several protocols including DCERPC for inter-component communication.
Overview
CVE-2023-34048 is a critical out-of-bounds write vulnerability in VMware vCenter Server's DCERPC (Distributed Computing Environment/Remote Procedure Call) protocol implementation, enabling unauthenticated remote code execution. VMware patched it on October 25, 2023 in VMSA-2023-0023, but a silent additional patch was issued for EOL vCenter 6.7 and 6.5 versions in January 2024 — signaling that active exploitation had been confirmed. Mandiant identified the vulnerability as a zero-day exploited by UNC3886, a China-nexus espionage group, before the patch was publicly available.
Affected Versions
| Product | Fixed Version |
|---|---|
| vCenter Server 8.0 | 8.0 U2 |
| vCenter Server 7.0 | 7.0 U3o |
| VMware Cloud Foundation 5.x | Async patch via KB88287 |
| VMware Cloud Foundation 4.x | Async patch via KB88287 |
VMware also issued out-of-band patches for EOL versions 6.7 and 6.5 in January 2024 due to confirmed active exploitation.
Technical Details
CWE-787 (Out-of-Bounds Write). The DCERPC protocol handler in vCenter Server contains a memory corruption vulnerability: when processing specially crafted DCERPC requests, the server writes data outside the bounds of an allocated buffer. This out-of-bounds write corrupts adjacent memory, which can be leveraged by an attacker to gain control of program execution. The unauthenticated attack vector (PR:N) means the attacker only needs network access to vCenter's listening ports — no credentials required.
The DCERPC service handles inter-component communication and is accessible via multiple vCenter ports. Successful exploitation achieves arbitrary code execution in the context of the vCenter service account (typically SYSTEM/root on the vCenter appliance), giving full control of the vCenter management plane and, by extension, all managed ESXi hosts and VMs.
Discovery
Discovered by grigoritc and reported through the Trend Micro Zero Day Initiative (ZDI). The vulnerability was reported to VMware under responsible disclosure. The 3-month gap between patching (October 2023) and CISA KEV addition (January 2024) corresponds to Mandiant's publication of research confirming that UNC3886 had exploited this vulnerability as a zero-day — meaning the group had discovered and weaponized it before VMware's patch.
Exploitation Context
UNC3886 is a sophisticated China-nexus espionage group with a documented pattern of targeting VMware infrastructure — they previously exploited VMware ESXi and vSphere vulnerabilities (CVE-2021-22005, ESXi zero-days) as part of long-term persistent access campaigns against defense, government, and technology organizations. Their exploitation of CVE-2023-34048 as a zero-day reflects investment in VMware-specific vulnerability research. Mandiant found UNC3886 used vCenter access to deploy backdoors on ESXi hosts, harvest credentials from vCenter's credential store, and maintain persistent infrastructure access that survived security incident response focused on other systems.
The silent issuance of patches for EOL vCenter 6.7/6.5 in January 2024 — normally unpatched given EOL status — was VMware's signal that exploitation was serious enough to warrant emergency action for legacy deployments.
Remediation
- Apply VMware patches per VMSA-2023-0023 — update vCenter to fixed versions immediately.
- For EOL vCenter 6.7 or 6.5 deployments: apply the emergency out-of-band patches issued in January 2024, then plan immediate migration to vCenter 7.0 or 8.0 which are actively maintained.
- Restrict network access to vCenter Server (port 443 and DCERPC management ports) to trusted management network segments — vCenter management should never be internet-accessible.
- Review vCenter audit logs for unexpected administrative actions, VM configuration changes, or new user accounts created around the vulnerability disclosure period.
- Check for UNC3886 IOCs published by Mandiant: unusual SSH keys on ESXi hosts, unexpected backdoor processes, or vCenter credential access anomalies.
- After patching, rotate all vCenter service account passwords and vSphere SSO credentials as a precaution if exploitation cannot be ruled out.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2023-34048 |
| Vendor / Product | VMware — vCenter Server |
| NVD Published | 2023-10-25 |
| NVD Last Modified | 2025-10-30 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-787 find similar ↗ |
| CISA KEV Added | 2024-01-22 |
| CISA KEV Deadline | 2024-02-12 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2023-10-25 | VMware releases VMSA-2023-0023 patching CVE-2023-34048 — attributed to grigoritc via Trend Micro Zero Day Initiative |
| 2024-01-17 | Mandiant publishes research attributing exploitation of CVE-2023-34048 to UNC3886 as a zero-day in the wild |
| 2024-01-22 | CISA adds to Known Exploited Vulnerabilities catalog — 3 months after patch following Mandiant's confirmation |
| 2024-02-12 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| VMware Security Advisory VMSA-2023-0023 | Vendor Advisory |
| NVD — CVE-2023-34048 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |