Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2023-34038

CVE-2023-34038: VMware Horizon Information Disclosure

CVE-2023-34038 is an information disclosure vulnerability in VMware Horizon that allows attackers with network access to obtain internal network configuration details. This article covers technical analysis, affected systems, and mitigation.

Updated:

CVE-2023-34038 Overview

CVE-2023-34038 is an information disclosure vulnerability in VMware Horizon Server. A malicious actor with network access to the affected Horizon Client can retrieve information related to the internal network configuration. The flaw does not require authentication or user interaction, which lowers the barrier for opportunistic reconnaissance against enterprise virtual desktop infrastructure (VDI) deployments.

VMware addressed the issue in VMware Security Advisory VMSA-2023-0017. The vulnerability affects multiple Horizon Client release trains, including 2006 through 2212. The EPSS score for CVE-2023-34038 is 0.668% with a percentile of 71.492, indicating moderate observed interest relative to other CVEs.

Critical Impact

Network-adjacent attackers can enumerate internal network configuration data from vulnerable Horizon deployments without authentication, supporting reconnaissance for follow-on attacks against VDI infrastructure.

Affected Products

  • VMware Horizon Client versions 2006, 2012, 2103, and 2106
  • VMware Horizon Client versions 2111 and 2111.1
  • VMware Horizon Client versions 2203 and 2212

Discovery Timeline

  • 2023-08-04 - CVE-2023-34038 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2023-34038

Vulnerability Analysis

CVE-2023-34038 is an information exposure issue affecting VMware Horizon Server components reachable through the Horizon Client. An unauthenticated attacker with network access to the service can issue requests that return data describing the internal network configuration of the Horizon deployment. The disclosed information can include details that are not intended for external visibility, such as internal hostnames, addressing, or topology indicators.

The vulnerability impacts confidentiality only. Integrity and availability of the Horizon environment are not directly affected, and the scope remains unchanged. NVD classifies the weakness as NVD-CWE-noinfo because the precise weakness type was not assigned at publication. VMware's advisory VMSA-2023-0017 is the authoritative reference for affected versions and fixed builds.

Root Cause

The root cause is improper restriction of information returned by Horizon Server to network clients. The service exposes configuration-related data to callers who should not have visibility into internal deployment details. Because no privileges or user interaction are required, any actor who can reach the Horizon service over the network can trigger disclosure.

Attack Vector

The attack vector is network-based. An attacker sends crafted requests to a reachable Horizon Server endpoint and parses the response for internal network configuration data. The disclosed data is typically used as reconnaissance to map internal infrastructure prior to targeted exploitation of other services. No public proof-of-concept or exploit code is listed for CVE-2023-34038, and the CVE is not on the CISA Known Exploited Vulnerabilities list.

No verified exploit code is available for CVE-2023-34038. Refer to VMware Security Advisory VMSA-2023-0017 for vendor-provided technical context.

Detection Methods for CVE-2023-34038

Indicators of Compromise

  • Unexpected unauthenticated requests to Horizon Server endpoints originating from untrusted or external network ranges.
  • Responses from Horizon Server containing internal hostnames, IP ranges, or topology metadata sent to non-administrative clients.
  • Scanning patterns that enumerate Horizon Client versions across the public attack surface.

Detection Strategies

  • Inventory Horizon Client and Horizon Server versions and flag any instance running release trains 2006 through 2212 that have not been patched per VMSA-2023-0017.
  • Inspect web and load-balancer logs for repeated or anomalous requests to Horizon service paths from a small set of source addresses.
  • Correlate Horizon access logs with perimeter telemetry to identify reconnaissance preceding access attempts against internal assets.

Monitoring Recommendations

  • Forward Horizon Server, gateway, and reverse-proxy logs to a centralized analytics platform for retention and correlation.
  • Alert on Horizon Server responses returned to source IPs outside expected user populations or geographies.
  • Track outbound queries to internal hosts whose names or addresses appear only in Horizon configuration responses.

How to Mitigate CVE-2023-34038

Immediate Actions Required

  • Identify all Horizon Client and Horizon Server instances in scope, including any internet-facing connection servers and unified access gateways.
  • Apply the fixes documented in VMware Security Advisory VMSA-2023-0017 to every affected component.
  • Restrict network exposure of Horizon Server management and client interfaces to known administrator and user networks.

Patch Information

VMware published fixed builds for affected Horizon Client release trains in VMSA-2023-0017. Upgrade Horizon Client deployments to the versions identified as resolved in that advisory. Confirm version strings on each endpoint after deployment to verify remediation.

Workarounds

  • Place Horizon Server behind an authenticated reverse proxy or VPN to remove unauthenticated network reachability.
  • Apply firewall rules that limit access to Horizon service ports to known client subnets only.
  • Disable or remove unused Horizon connection servers to reduce the exposed surface until patching completes.
bash
# Example: restrict inbound access to Horizon service ports using iptables
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne