Skip to main content
Mallory
Back to vulnerabilities
LowCISA KEVExploited in the wildPublic exploit

Authentication Bypass in VMware Tools Host-to-Guest Operations

IdentifiersCVE-2023-20867CWE-287· Improper Authentication

CVE-2023-20867 is an authentication bypass vulnerability in VMware Tools that affects host-to-guest operations. According to the provided content, a fully compromised ESXi host can cause VMware Tools to fail authentication checks for host-to-guest operations, allowing commands and guest operations to be executed inside guest virtual machines without the normally required authentication. Reporting cited in the content states the flaw was exploited by UNC3886 and later observed in Fire Ant activity to execute unauthenticated Guest Operations from ESXi hosts into Windows, Linux, and PhotonOS guest VMs, including via PowerCLI and vmtoolsd-mediated execution paths. The issue impacts the trust boundary between a compromised hypervisor and its guest VMs by permitting unauthorized interaction with guest systems once the ESXi host is under attacker control.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation compromises the confidentiality and integrity of guest virtual machines. An attacker who has already fully compromised an ESXi host can bypass authentication for VMware Tools host-to-guest operations and execute privileged commands inside guest VMs, transfer files, interact directly with guest operating systems, and facilitate credential theft or further lateral movement. The content indicates this was used to run commands across Windows, Linux, and PhotonOS guests and to support broader full-stack compromise of VMware environments.

Mitigation

If you can’t patch tonight, do this now.

Based on the provided content, mitigation should focus on preventing and containing hypervisor compromise and reducing abuse paths between vCenter/ESXi and guest VMs. The content specifically recommends patching VMware vCenter and ESXi instances, restricting vCenter access with firewall rules, using unique and complex passwords for ESXi root and vCenter administrative accounts, applying privileged identity management, and enabling ESXi Normal Lockdown Mode. More generally, limiting administrative access to virtualization infrastructure and monitoring for anomalous VMware Guest Operations or vmtoolsd-initiated command execution in guest VMs would reduce exposure.

Remediation

Patch, then assume compromise.

Apply the vendor-provided VMware patches or updates that address CVE-2023-20867 in the affected VMware/VMware Tools stack. Because the vulnerability is exploitable from a compromised ESXi host, remediation should include patching affected ESXi/VMware components and validating the integrity of both hypervisor and guest management tooling. If compromise is suspected, incident response should include rebuilding or otherwise re-establishing trust in the ESXi host, rotating credentials exposed through vCenter/ESXi/guest interactions, and reviewing guest VMs for unauthorized host-initiated operations performed through VMware Tools.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
BroadcomToolsapplication
DebianDebian Linuxoperating_system
Fedora ProjectFedoraoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

14 SOURCESView more in app
cyfirma newsNews
Feb 20, 2026
Weekly Intelligence Report - 20 February 2026 - CYFIRMA

A vulnerability (unspecified in the content) affecting VMware Tools that is listed as exploited by the threat actor UNC3886/Volt Typhoon.

Read more
bleeping computerNews
Feb 9, 2026
Chinese cyberspies breach Singapore's four largest telcos

A VMware ESXi vulnerability referenced as a zero-day used by UNC3886 in targeted intrusions.

Read more
dark readingNews
Jul 25, 2025
'Fire Ant' Cyber Spies Compromise Siloed VMware Systems

An authentication bypass flaw used to execute commands inside guest virtual machines without required authentication in VMware environments.

Read more
the hacker newsNews
Jul 24, 2025
Fire Ant Exploits VMware Flaws to Compromise ESXi Hosts and vCenter Environments

A vulnerability in VMware Tools leveraged post-compromise to enable direct interaction with guest VMs (via PowerCLI), supporting lateral movement and credential access from VM memory snapshots.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence10

Every observed campaign linking this CVE to a named adversary.

Associated malware3

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2023-20867
NVD
nvd.nist.gov/vuln/detail/CVE-2023-20867
MITRE CWE · CWE-287
Improper Authentication
Patch
openwall.com/lists/oss-security/2023/10/16/11
Patch
openwall.com/lists/oss-security/2023/10/16/2
Patch
vmware.com/security/advisories/VMSA-2023-0013.html
Third Party Advisory
lists.debian.org/debian-lts-announce/2023/08/msg00020.html
Third Party Advisory
security.netapp.com/advisory/ntap-20230725-0001
Third Party Advisory
debian.org/security/2023/dsa-5493
Release Notes
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NVKQ6Y2JFJRWPFOZUOTFO3H27BK5GGOG
Release Notes
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TJNJMD67QIT6LXLKWSHFM47DCLRSMT6W
Release Notes
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZJM6HDRQYS74JA7YNKQBFH2XSZ52HEWH
+1 more reference
view more in app