CVE-2020-3955 Overview
CVE-2020-3955 is a stored Cross-Site Scripting (XSS) vulnerability affecting VMware ESXi versions 6.5 and 6.7. The vulnerability exists due to improper neutralization of script-related HTML content when viewing virtual machine attributes. An attacker with access to virtual machine configuration could inject malicious scripts that execute in the context of other administrative users who view the affected VM attributes, potentially leading to session hijacking, credential theft, or unauthorized administrative actions.
Critical Impact
This XSS vulnerability enables attackers to execute arbitrary JavaScript in the browsers of administrators viewing VM attributes, potentially compromising administrative sessions and enabling lateral movement within the virtualization infrastructure.
Affected Products
- VMware ESXi 6.5 (all versions prior to patch ESXi650-201912104-SG)
- VMware ESXi 6.7 (all versions prior to patch ESXi670-202004103-SG)
- VMware ESXi environments using vSphere Web Client or Host Client for management
Discovery Timeline
- April 29, 2020 - CVE-2020-3955 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-3955
Vulnerability Analysis
This vulnerability stems from improper input validation and output encoding when processing virtual machine attribute data within the ESXi management interfaces. When administrators view virtual machine properties or configurations through the vSphere Web Client or ESXi Host Client, the system fails to properly sanitize HTML and script content embedded in VM attributes such as names, annotations, or custom fields.
The stored nature of this XSS vulnerability makes it particularly dangerous, as the malicious payload persists in the ESXi configuration and executes every time an administrator views the affected virtual machine's attributes. This creates an opportunity for attackers who have gained limited access to VM configuration (potentially through compromised credentials or a lower-privileged account) to escalate their access by targeting administrators.
The impact extends beyond simple script execution—successful exploitation could allow attackers to steal administrative session tokens, perform actions on behalf of authenticated administrators, exfiltrate sensitive configuration data, or establish persistent backdoor access to the virtualization management infrastructure.
Root Cause
The root cause is a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability. The ESXi web management interfaces do not properly encode or sanitize user-controllable input stored in virtual machine attributes before rendering that content in HTML contexts. This allows script tags, event handlers, and other malicious HTML constructs to be interpreted and executed by the victim's browser rather than being displayed as harmless text.
Attack Vector
The attack requires network access to the ESXi management interface and some level of access to modify virtual machine attributes. An attacker would craft a malicious payload containing JavaScript code and inject it into a VM attribute field. The payload could be designed to:
- Steal session cookies or authentication tokens
- Redirect administrators to phishing pages
- Make API calls on behalf of the authenticated user
- Modify system configurations silently
- Create new administrative accounts
The malicious script executes within the browser context of any administrator who subsequently views the VM properties, inheriting their privileges and session context. Since ESXi environments often have multiple administrators, this creates a high probability of successful exploitation once the payload is planted.
Detection Methods for CVE-2020-3955
Indicators of Compromise
- Unexpected JavaScript or HTML tags present in virtual machine name fields, annotations, or custom attributes
- Browser developer tools showing script execution from VM attribute data sources
- Unusual API calls or configuration changes originating from administrative sessions
- Session cookies being transmitted to external or unexpected destinations
Detection Strategies
- Implement Content Security Policy (CSP) headers on ESXi management interfaces where possible to detect and block inline script execution
- Monitor ESXi audit logs for suspicious modifications to virtual machine attributes, particularly those containing special characters like <, >, or script
- Review virtual machine annotations and custom fields periodically for unexpected content
- Deploy web application firewall rules to detect XSS patterns in requests to ESXi management interfaces
Monitoring Recommendations
- Enable and centralize logging from vCenter Server and ESXi hosts to detect unusual administrative activity
- Configure alerting for bulk modifications to VM attributes or creation of VMs with suspicious names
- Monitor for signs of session hijacking such as simultaneous logins from different source IPs
- Implement network traffic analysis to detect exfiltration of session tokens or credentials
How to Mitigate CVE-2020-3955
Immediate Actions Required
- Apply VMware security patches immediately: ESXi650-201912104-SG for ESXi 6.5 and ESXi670-202004103-SG for ESXi 6.7
- Audit all virtual machines for suspicious content in names, annotations, and custom fields
- Review administrative access logs for signs of unauthorized VM attribute modifications
- Restrict access to ESXi management interfaces to trusted networks and administrators only
Patch Information
VMware has released security patches to address this vulnerability. Organizations running affected versions should apply the following patches as documented in VMware Security Advisory VMSA-2020-0008:
- ESXi 6.5: Apply patch ESXi650-201912104-SG
- ESXi 6.7: Apply patch ESXi670-202004103-SG
These patches implement proper input sanitization and output encoding for virtual machine attribute data, preventing the injection and execution of malicious scripts.
Workarounds
- Implement network segmentation to restrict access to ESXi management interfaces from untrusted networks
- Use role-based access control to limit which users can modify virtual machine attributes
- Enable browser security features and extensions that can detect or block XSS attacks
- Consider implementing additional web application firewalls in front of vSphere management interfaces
# Verify current ESXi patch level
esxcli software vib list | grep -i esx-base
# Check for applied security patches on ESXi 6.5
esxcli software vib list | grep ESXi650-201912104
# Check for applied security patches on ESXi 6.7
esxcli software vib list | grep ESXi670-202004103
# Review VM annotations for suspicious content (PowerCLI)
# Get-VM | Select Name, Notes | Where-Object {$_.Notes -match "<script|javascript|onerror|onclick"}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
