Home / Threat Intelligence bulletins / Zero-day unauthenticated file exfiltration vulnerability found in VMware tools

Target Industry

Telecommunications, defence, and technology sectors.


The state-sponsored Chinese espionage group, named UNC3886, have been observed using a zero-day exploitation within VMware tools that would allow attackers to bypass authentication to exfiltrate data using root access to an ESXi host. The vulnerability, being tracked as CVE-2023-208670, is believed to be part of a larger picture exploiting both vCenter servers and the ESXi hypervisor. The vulnerability has since been disclosed to VMware and a security patch to remediate the exploit has been made available.

The vulnerability is exploited through attackers first gaining privileged access to a vCenter server then installing a backdoor into the ESXi hosts, where the zero-day vulnerability was used to execute privileged malicious commands to exfiltrate data from guest virtual machines.


Through successful exploitation of the vulnerability, an attacker can bypass network segmentation, make use of effective defence evasion and persistence mechanisms if access to the virtual machines is maintained, move laterally, and execute the highest privilege commands on any virtual machine running under the exploited ESXi host.

All of these in combination can allow an attacker within a target environment to compromise or exfiltrate sensitive company data and retain access with little difficulty for monetary gain or intent for further exploitation.

Vulnerability Detection

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against known threats. EDRs can alert system users of potential breaches and prevent further progress, prior to the malware being able to implement significant damage.

Affected Products


Containment, Mitigations & Remediations

As mentioned previously, it is recommended that an EDR solution is implemented which will allow for the prevention or mitigation of potential attacks from a wide range of threats in real time.

All devices should implement the most recent vendor updates available as these will contain updates to their security features to help prevent exploitation from known threats.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

VMware occupies a significant proportion of the virtualisation market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, VMware products have become a prime target for threat actors. Due to the fact that virtual machines have become an integral aspect of both personal and business operations, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive information contained therein.

Threat Group

The group involved has been observed in a recent campaign targeting various defence, telecoms, and technology groups. Little information is available about the group currently. However, an investigation is underway by the Google-owned Mandiant group and details of the techniques associated with the group have since been published.

Further Information

VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors

Chinese Threat Actor Abused ESXi Zero-Day to Pilfer Files From Guest VMs

Intelligence Terminology Yardstick