The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2020-4006

CVE-2020-4006: VMware Identity Manager RCE Vulnerability

CVE-2020-4006 is a command injection flaw in VMware Identity Manager and Workspace One Access that enables remote code execution. This article covers the technical details, affected versions, security impact, and mitigation.

Published: March 11, 2026

CVE-2020-4006 Overview

CVE-2020-4006 is a command injection vulnerability affecting VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. This vulnerability allows an attacker with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account to execute commands with unrestricted privileges on the underlying operating system. The flaw exists in the administrative configurator component, which fails to properly validate and sanitize user-supplied input before incorporating it into system commands.

Critical Impact

This vulnerability is actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities Catalog. Successful exploitation allows attackers to execute arbitrary commands with root-level privileges on the underlying operating system, potentially leading to complete system compromise.

Affected Products

  • VMware Identity Manager versions 3.3.1, 3.3.2, and 3.3.3
  • VMware Identity Manager Connector versions 3.3.1, 3.3.2, and 3.3.3 (Linux and Windows)
  • VMware Workspace ONE Access versions 20.01 and 20.10
  • VMware Cloud Foundation versions 4.0 and 4.0.1
  • VMware vRealize Suite Lifecycle Manager (all versions)

Discovery Timeline

  • November 23, 2020 - CVE-2020-4006 published to NVD
  • October 30, 2025 - Last updated in NVD database

Technical Details for CVE-2020-4006

Vulnerability Analysis

CVE-2020-4006 is a command injection vulnerability (CWE-78: Improper Neutralization of Special Elements used in an OS Command) present in the administrative configurator component of multiple VMware products. The vulnerability exists due to insufficient input validation in the administrative web interface that listens on port 8443. When authenticated administrators submit configuration data through this interface, the application incorporates user-controlled input directly into operating system commands without proper sanitization.

The vulnerability requires an attacker to have network access to the administrative configurator on port 8443 and possess valid credentials for the configurator admin account. However, once these prerequisites are met, the attacker can inject arbitrary operating system commands that execute with the privileges of the underlying service, typically root on Linux systems or SYSTEM on Windows systems. The scope of this vulnerability extends beyond the vulnerable component itself, potentially affecting the confidentiality and integrity of the entire host system and any connected resources.

Root Cause

The root cause of CVE-2020-4006 is improper input validation in the administrative configurator component. The application fails to adequately sanitize user-supplied input before passing it to system shell commands. This allows an authenticated attacker to inject malicious shell metacharacters and commands that are subsequently executed by the operating system. The vulnerable code path exists in the web-based administrative interface, where configuration parameters are processed without proper escaping or validation against command injection patterns.

Attack Vector

The attack is conducted over the network by targeting the administrative configurator service on port 8443. The attacker must first obtain valid credentials for the configurator admin account through methods such as credential theft, brute force attacks, or social engineering. Once authenticated, the attacker can craft malicious HTTP requests containing specially formatted input that includes shell metacharacters and commands. When the server processes these requests, the injected commands are executed on the underlying operating system with elevated privileges, allowing the attacker to install backdoors, exfiltrate data, pivot to other systems, or perform any other actions permitted by the service account privileges.

The exploitation of this vulnerability in real-world attacks has been documented, with threat actors leveraging it to gain initial access to enterprise networks. The fact that this vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog underscores its significance and the importance of immediate remediation.

Detection Methods for CVE-2020-4006

Indicators of Compromise

  • Unusual network connections or traffic to/from port 8443 on affected VMware systems
  • Unexpected processes spawned as child processes of the VMware Identity Manager or Workspace ONE Access services
  • Suspicious entries in application and system logs indicating command execution attempts
  • Unauthorized modifications to system configurations or creation of new administrative accounts
  • Evidence of lateral movement originating from affected VMware infrastructure components

Detection Strategies

  • Monitor authentication logs for the administrative configurator on port 8443 for failed login attempts or successful logins from unexpected IP addresses
  • Implement network intrusion detection rules to identify potential command injection patterns in HTTP traffic to port 8443
  • Deploy endpoint detection and response (EDR) solutions to detect anomalous process creation and command-line execution patterns on affected systems
  • Enable and review application-level logging for VMware Identity Manager and Workspace ONE Access components

Monitoring Recommendations

  • Configure SIEM rules to alert on multiple failed authentication attempts to the administrative configurator interface
  • Implement file integrity monitoring on critical system files and VMware application directories
  • Enable verbose logging on affected VMware products and forward logs to centralized security monitoring systems
  • Regularly audit user accounts and access permissions for the administrative configurator

How to Mitigate CVE-2020-4006

Immediate Actions Required

  • Apply the security patches provided by VMware as outlined in VMware Security Advisory VMSA-2020-0027 immediately
  • Restrict network access to the administrative configurator on port 8443 to trusted management networks only
  • Implement strong, unique passwords for the configurator admin account and rotate credentials
  • Review system logs for any indicators of prior exploitation and conduct forensic analysis if compromise is suspected
  • Consider temporarily disabling the administrative configurator if not actively required until patching is complete

Patch Information

VMware has released security patches to address CVE-2020-4006. Organizations should consult the VMware Security Advisory VMSA-2020-0027 for detailed patch instructions and download links specific to their product versions. The patches address the command injection vulnerability by implementing proper input validation and sanitization for user-supplied configuration data. Additional technical details are available from CERT Vulnerability Report #724367.

Workarounds

  • Implement strict network segmentation to isolate affected VMware systems and limit access to port 8443 from trusted administrative networks only
  • Use firewall rules to block external access to the administrative configurator interface on port 8443
  • Enable multi-factor authentication (MFA) for administrative access where supported
  • Monitor and audit all administrative access to affected systems until patches can be applied
  • Consider deploying a web application firewall (WAF) with rules to detect and block command injection attempts
bash
# Example: Restrict access to administrative configurator using iptables
# Allow access only from trusted management subnet
iptables -A INPUT -p tcp --dport 8443 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechVmware Identity Manager
  • SeverityCRITICAL
  • CVSS Score9.1
  • EPSS Probability12.83%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CISA KEV Information
  • In CISA KEVYes
  • CWE References
  • CWE-78
  • Technical References
  • CERT Vulnerability Report #724367
  • CISA Known Exploited Vulnerabilities CVE-2020-4006
  • Vendor Resources
  • VMware Security Advisory VMSA-2020-0027
  • Related CVEs
  • CVE-2022-22954: VMware Identity Manager RCE Vulnerability
  • CVE-2023-20884: VMware Identity Manager Info Disclosure
  • CVE-2022-31656: VMware Identity Manager Auth Bypass Flaw
  • CVE-2022-22972: VMware Identity Manager Auth Bypass Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English