VMware Zero-Day Under Active Exploitation
A critical remote code execution vulnerability designated as CVE-2025-1234 has been discovered in VMware vCenter Server, with security researchers confirming active exploitation in the wild. The vulnerability carries a CVSS score of 9.8 (Critical) and affects all currently supported versions of the virtualization management platform.
Vulnerability Details
The flaw resides in the vCenter Server’s DCE/RPC protocol implementation, specifically within the handling of specially crafted network packets. An unauthenticated attacker with network access to vCenter Server can trigger a heap-based buffer overflow, leading to remote code execution with root privileges.
Affected Versions
- VMware vCenter Server 8.0 (all versions prior to 8.0 Update 3)
- VMware vCenter Server 7.0 (all versions prior to 7.0 Update 5)
- VMware Cloud Foundation 5.x and 4.x (prior to corresponding patches)
Active Exploitation
According to threat intelligence reports, multiple Advanced Persistent Threat (APT) groups have been observed exploiting this vulnerability since early May 2026. The attacks primarily target:
- Financial services organizations in North America and Europe
- Cloud service providers using VMware-based virtualization
- Government agencies with exposed vCenter management interfaces
Mitigation Steps
Organizations running affected versions should take immediate action:
- Apply patches immediately — VMware has released security updates for all affected versions
- Restrict network access — Ensure vCenter Server management interfaces are not exposed to the internet
- Review access logs — Check for signs of unauthorized access or unusual network connections
- Implement network segmentation — Limit lateral movement capabilities within the virtualized environment
Indicators of Compromise (IoCs)
Security researchers have identified the following IoCs associated with exploitation attempts:
- Unexpected outbound connections from vCenter Server on ports 443 and 8443
- Unusual processes spawned from the vCenter Server service account
- Modification of vCenter Server configuration files
- Presence of webshells in the
/usr/lib/vmware-vcenter-server/directory
Conclusion
This is a critical vulnerability that requires immediate attention. With active exploitation confirmed and the high potential for widespread impact, organizations should prioritize patching and implement the recommended mitigations without delay.
Automated and analyst-reviewed threat intelligence briefings tracking active exploitation campaigns, CVE disclosures, and extortion group activity.
Security Digest
Get the latest cybersecurity news, vulnerability alerts, and threat intelligence delivered to your inbox.
Related Articles
Acer Addresses Zero-Day in Wave 7 Routers
The vulnerability allows unauthenticated attackers to access sensitive credentials from log archives. It's a broken access control flaw, which enables attackers to obtain plaintext credentials.
Vulnerabilities & ExploitsGoogle Patches Android Zero-Day CVE-2025-48595
One flaw, CVE-2025-48595, is particularly alarming. This vulnerability has a CVSS score of 8.4.
Vulnerabilities & ExploitsPalo Alto Warns of Exploitation of VPN Bypass Exploits (CVE-2026-0257) in PAN-OS Flaw Vulnerability
"Only a small portion of the probed devices actually established VPN sessions, resulting in gateway-connected events." The company has also released...
Vulnerabilities & ExploitsOracle mitigates PeopleSoft zero-day exploited in data theft attacks
Oracle has issued mitigations for a critical PeopleSoft zero-day (CVE-2026-35273) enabling unauthenticated RCE, actively exploited in ShinyHunters data theft.